Caveat 5.19.21
Ep 78 | 5.19.21

Many do not trust their banks and banking apps.

Transcript

Marijus Briedis: We can see that a lot of people don't trust their banks and the banking apps in general.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben discusses a key appeals court case on cell site location information tracking. I take a look at the Biden administration's broadband proposals and why they're giving cable companies heartburn. And later in the show, my conversation with Marijus Briedis from NordVPN. We're going to be looking at their 2021 online banking privacy trends survey. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we've got some good stories to share this week. Why don't you start things off for us? 

Ben Yelin: So my story comes from a usual suspect. Don't roll your eyes, but I saw it on Professor Orin Kerr's Twitter feed over the weekend. 

Dave Bittner: (Laughter) The secret object of your affection, right? 

Ben Yelin: Yes. So at some point, we will send him royalties, although I'm sure the University of California, Berkeley has taken care of him financially. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: But he alerted me to a really interesting case coming out of the United States Court of Appeals for the 7th Circuit out in the Midwest. And this relates to real-time tracking of cell site location information. So it's a criminal case. The criminal defendant is a guy by the name of Rex Hammond. And he committed a bunch of armed robberies in the Midwest - Michigan and Indiana. 

Ben Yelin: And this is actually a pretty great detective story, if you want to get into it. But basically, he left his weapon behind at one of the stores that he decided to rob. They traced the weapon to the seller. The seller said that he sold the weapon to this guy, Mr. Hammond. And using that information and matching up a description of his car, they were able to figure out who he was. 

Ben Yelin: So they obtained historical cell site location information to determine that he had been present at many of these robberies, but they didn't know where he was at the time they obtained that information. So they asked AT&T, his provider, to give them real-time cell site location information, to have his phone ping - or to track his phone's pinging off cell towers to determine his real-time location. And it turns out that he was in Indiana and was tracked down by local police and arrested, prosecuted. He was charged with federal crimes related to firearms possession. 

Dave Bittner: Wow. 

Ben Yelin: So he's convicted. He's going away for a long time. 

Ben Yelin: He is appealing on the grounds that this search of his cell site location information, particularly the real-time cell site location formation, is an unconstitutional violation of the Fourth Amendment. It was a warrantless search. 

Dave Bittner: That was my next question. Did they get a warrant? 

Ben Yelin: They did not get a warrant. They used a couple of different statutory authorities under Section 2703 of the Stored Communications Act. So there was no warrant. 

Ben Yelin: What Mr. Hammond is arguing is that this case is similar to Carpenter v. United States. And in that case, the Supreme Court held that long-term collection of cell site location information is unacceptable under the Fourth Amendment in the absence of a warrant. And what he's saying here is, the collection of my cell site location information is akin to that type of long-term surveillance we saw in Carpenter. 

Ben Yelin: So there's kind of a disagreement among scholars about how to interpret Carpenter. Some, including Professor Kerr, think that what Carpenter should stand for, at least, is that any time the government wants to use cell site location information, it is of a particular type that it should require a warrant. Just that nature of data collection is invasive enough that it should acquire a warrant. The government and other scholars basically think it all depends on how much data is being collected and how long the defendant was being surveilled. 

Ben Yelin: And the court of appeals here ended up agreeing with the government's perspective. They have upheld the conviction, basically saying that this type of warrantless collection was not a violation of the Fourth Amendment. 

Ben Yelin: And they distinguish it from Carpenter in a couple of ways. For one, in Carpenter, the cell site location information was collected over a period of at least seven days, probably longer - maybe up to a month. And here, the real-time collection only happened for about six hours. So there is sort of a duration difference in the type of collection. 

Ben Yelin: The other is that - and this is a really interesting distinction - they only tracked him on public roads. So at the time that they were surveilling him through the use of cell site location data, so for those six hours, he was in public places. He was out on public roads. He wasn't in somebody's home. He wasn't in his own home. He wasn't trying to conceal himself. And there's a Supreme Court precedent in the case of Knotts v. United States that the government doesn't need a warrant to track you on public thoroughfares, places where you are viewable to law enforcement, potentially. 

Dave Bittner: Right. 

Ben Yelin: So that's the government's argument here - that this is basically a Knotts case instead of a carpenter case. 

Dave Bittner: Interesting. 

Ben Yelin: So it's a really interesting disagreement. I tend to come down with Professor Kerr and other scholars who think you have to draw a bright line. If you're going to say that long-term seven-day cell site location information surveillance would violate the Fourth Amendment, then I think that should per se mean something about all cell site location information collection because otherwise, it gets into this very blurry line-drawing exercise where you don't know, you know - we know a week is sufficient, but we don't know whether six hours is sufficient. 

Dave Bittner: Right. 

Ben Yelin: So what's the cutoff? 

Dave Bittner: Right. 

Ben Yelin: And I think that's just a really difficult standard to try to adhere to. 

Dave Bittner: I have a couple of thoughts and questions for you here. First of all, does it make any difference that when it came to the cell site information, they were not out on a fishing expedition? They had a good sense for who their man was based on other information. They had the gun. They had the person who sold the gun to him. So they had this other information. They were looking for the cell site information initially, basically, for confirmation. You know, we think this is our guy. Hey, can you tell us, was this guy at these locations? To me that's different than them saying, hey, who was at these locations? We don't - we have no idea who our man is. Is there... 

Ben Yelin: So... 

Dave Bittner: What do you think? 

Ben Yelin: Yes, there is a difference. But I don't think the information they had was necessarily enough to establish probable cause, which is the standard to obtain a warrant. What they did have, certainly, was reasonable suspicion, which is the standard to acquire this information via subpoena through the Stored Communications Act. So there is that distinction. They certainly suspected that this guy had committed the robberies, but they did not have hard and fast proof. 

Dave Bittner: Right. 

Ben Yelin: Now, it's certainly better than some of those geolocation cases that we've talked about where, you know, they say, well, who was in the vicinity of the store during the robbery? Let's gather up all that data and then, you know, try and match the phone to a suspect. I feel less bad about it because you're right - there was certainly individualized suspicion here. At the very least, there was strong circumstantial evidence. So I do think that matters. But I think it's worth noting that they didn't have sufficient information to obtain a warrant, which is evidenced by the fact that they did not obtain a warrant to conduct this surveillance. 

Dave Bittner: (Laughter) They knew better than to ask for one. 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: (Laughter) Right. Right. So OK. So then this whole thing of them tracking him with the real-time information when he was on public roads - did they just get lucky there? Did they cherry pick the data? Did they say, ooh, we've got 10 hours of tracking data here - let's just use the six hours when he was on a public road? 

Ben Yelin: It's really hard to say... 

Dave Bittner: Yeah. 

Ben Yelin: ...Because there's actually a dispute among the detectives as to exactly when the cell site location information was being collected. And they did get a little bit lucky because he was traveling in an area that was not his hometown. So the first sighting of Mr. Hammond, after they use the cell site location information, was actually at a Quality Inn parking lot in South Bend, Ind., which is where they first ran the license plate. So yeah, they were lucky because that is a public road. He wasn't trying to conceal himself in his house, for example. Where this kind of gets sticky is we're talking about a method of collection, cell site location information, that - it's not dependent on whether a person is trying to conceal him or herself physically, if you get what I'm saying. 

Dave Bittner: Yeah. 

Ben Yelin: So you can collect cell site location information whether a person is hiding under their, you know, mattress... 

Dave Bittner: Right. 

Ben Yelin: ...Or, you know, strolling in the middle of the street. It's the location that matters, whereas in the Knotts case, which this court refers to repeatedly and is using as its main precedent case, the deciding factor in that case is that this person was driving on public roads the whole time. So I'm just not sure in my mind you can apply that logic when we're talking about cell site location information, which, in my view, is just fundamentally different because it can be collected when you are trying to conceal yourself from public view. 

Dave Bittner: Is this the end of it? Does - can they take it to a next level? Is there a possibility for more appeals here? 

Ben Yelin: So this is the highest level without getting to the U.S. Supreme Court. I will say I'm not sure this is the type of case that's right for Supreme Court review because we're still only a couple of years past the Carpenter decision. And the Supreme Court declined in that decision to rule definitively on real-time cell site location information. That case was specifically about historical cell site location information. You know, at a certain point, the Supreme Court is going to need to clarify exactly what Carpenter means. Did Carpenter mean there is a heightened standard when we're using this specific form of collection? Or does it have to do instead with how long that surveillance was taking place and how much private information it can reveal? I think, eventually, they have to answer that question. I just think it's too early in the post-Carpenter world for them to answer that question at this point. I think they're kind of going to want to see how lower courts have started interpreting these types of cases before they decide to weigh in. 

Dave Bittner: All right. Well, it's an interesting story for sure. And, of course, there's an open invitation to professor Kerr to come on the show to discuss it (laughter). 

Ben Yelin: Always. I will discuss anything. If he wants to discuss, you know, good places to eat Thai food in Berkeley, I'll discuss that with him. 

Dave Bittner: (Laughter) Fair enough. All right. Well, let's move on to my story this week. This comes from the protocol.com website. It's written by Issie Lapowsky. And it's titled "In Biden's Broadband Plan, Cable Is in for the Fight of Its Life." So President Biden, as part of his $2 trillion American Jobs Plan, has put in a proposal for $100 billion for broadband infrastructure. And the folks who are most excited about this are people who have put in community broadband. So these are basically not your cable companies. These are municipalities, sometimes local nonprofit groups who get together. They install their own broadband infrastructure. They provide it very inexpensively or even for free for their communities. And it's sort of coming at it as a community good rather than a profit center, not that there's anything wrong with the cable companies making profits - but just, you know, different ways to come at this issue. 

Ben Yelin: Sure. 

Dave Bittner: Of course, the cable companies are not happy about this proposal because this means... 

Ben Yelin: Those poor cable companies. 

Dave Bittner: (Laughter) This means competition for them. And I don't know, Ben. You know, the cable companies - this article points out the cable companies spent over $7 million lobbying Congress last year against this sort of thing. They have worked hard and have been successful, in many cases, fighting municipal broadband. They claim that it's redundant, that what ends up happening is you build out more capacity where there already is capacity. I suppose one person's capacity is another person's competition. 

Ben Yelin: Right. 

Dave Bittner: (Laughter). But then also that it doesn't - there's a tendency to build out in places where it's easy to build out, which are cities. 

Ben Yelin: Right. 

Dave Bittner: And it's much harder to build out in... 

Ben Yelin: Or certain parts of cities, to be clear. 

Dave Bittner: Certain - yeah, yeah. And it's harder to build out in rural areas because when you're running long cables, you know, when the houses are farther apart, that's harder to run the cables or the fiber to the houses. You know, we've seen some things change over time with this as things like 5G are coming online, where you have truly high-speed wireless that could be accessible to rural communities and. We have even satellite services, Elon Musk's - what is it? Starlink, I believe... 

Ben Yelin: Yep. 

Dave Bittner: ...It's called. That provides a much higher bandwidth than some of the other satellite services that have been available. So again, you know, finally, some real competition out there for folks who - I think it's - for those of us who have the benefit of living in areas where we have access to high-speed broadband. There are plenty of folks out there who still have dial-up, and that's all they've got. And it's hard to imagine being an active participant in the global digital economy at 1,200 baud or whatever (laughter), you know, right? 

Ben Yelin: Yeah, yeah. So a couple of thoughts here. First of all, I will reveal my own biases as a former resident of Baltimore City... 

Dave Bittner: Yeah. 

Ben Yelin: ...Where a certain unnamed cable company had a monopoly on broadband services. There was some administrative rule in place that basically forbid all competition. So it was like the old Lily Tomlin commercial parody on "SNL." We don't care. We don't have to. 

Dave Bittner: Right. 

Ben Yelin: Let's just say the customer service was a little bit lacking because of that lack of competition. So any introduction of competition at first blush would seem to be a benefit. One of the reasons building up both municipal broadband and rural broadband capabilities is so important is it's not that the digital economy is slowly expanding and that more and more of our interactions are coming online. That's true, but we also had this sudden shock to our system with the COVID-19 pandemic, where all of the sudden, public schooling, one of the most minimal things that the state offers to its citizens, required some very strong bandwidth... 

Dave Bittner: Right. 

Ben Yelin: ...In order for students of all walks of life to connect. We've kind of accepted that one of the roles of government is to provide public schooling to school-age children, you know, 5 to 18 or whatever. In order to make that a reality during the pandemic era, we need to supplement that with strong broadband, particularly in rural areas and parts of cities where it might not be profitable to set up such a robust network. So I think there's certainly a public interest beyond just simply trying to screw over these cable companies. 

Dave Bittner: (Laughter). 

Ben Yelin: I can understand why they're... 

Dave Bittner: As gratifying as that may be (laughter). 

Ben Yelin: Right. You know, as much as the next guy, I'd like to own - you know, metaphorically own some of these cable companies. 

Dave Bittner: I just want to point out, too, that, you know, they're an easy target. But boy, I mean, they've earned it, right? Everybody's heart sinks a little bit when they have to make a phone call to their cable company or - you know, nobody looks forward to any of those interactions. They have 100% earned their reputation of being difficult to deal with and providing lackluster service. 

Ben Yelin: Yeah. I - let's just say I'm never in a good mood when I have to call the cable company about a service issue... 

Dave Bittner: Right. 

Ben Yelin: ...Because, you know, the first 20 buttons I have to press are things that I've already thought of, like... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Did you try turning it on and turning it off? Yes, I did. 

Dave Bittner: Right, right. 

Ben Yelin: And I think a lot of us can relate to that frustration. So we have little sympathy here. And I just think there is a strong policy rationale to have the government step in where necessary to ensure that there's universal access to this type of bandwidth, whether it hurts the cable companies or not. Now, they have very, very powerful lobbyists. They're putting a lot of money behind this. I would never bet against a lobby as strong as this one. They have a lot of influence among both members of Congress and the executive branch. So I do think we can't just assume that because it makes sense to us for there to be a strong municipal and rural broadband that, you know, it's worth it to legislators who are - you know, have their feet to the fire here. 

Dave Bittner: It's a shame we couldn't look at this also more from a global point of view. I mean, when you look at the comparisons, here in the U.S., our broadband is slower and more expensive than many of the nations that we are looking to compete with. And it seems like here in the U.S., you're lucky if you have a duopoly - you know, if you if you have a choice between two terrible cable companies. Right? 

Ben Yelin: Oh, you're extremely lucky. I mean, most people don't even have that choice. Or you're choosing between one cable company and satellite service, which I am not a satellite person, but I've heard complaints from satellite people that if there's a mild thunderstorm, their service might go out. 

Dave Bittner: Yeah. 

Ben Yelin: There are other drawbacks to satellite service. So there really isn't that much competition. 

Dave Bittner: I'm trying to think of another example of something where the government provides a baseline service. But then if you want to - maybe it's public schools. You know, the government provides a baseline service that you get through your taxpayer money. But if you want to take it to the next level, you can pay and do something, you know, that, for you, you think would be better. And public schools are kind of that way, right? 

Ben Yelin: Schools are, health care for old people. So government gives you Medicare, but all the rich old people get Medicare Advantage plans, which have all the bells and whistles, you know, where you can get covered for more things, your co-pays are lower, that sort of thing. 

Dave Bittner: Let me ask you this, Ben. Here's a historical thing for you. Having lived in Baltimore, are you familiar with the historical job of a night porter? 

Ben Yelin: I am not. Inform me. 

Dave Bittner: So Baltimore City, turns out - time for History Corner with Dave and Ben. Turns out, Baltimore City was one of the last cities to install a citywide sewer system. And so there was a job called a night porter, which was the person who came around at night. And you would hire this person to clean out your container where all of your septic things went. 

Ben Yelin: I'm stealing this joke, but I'm going to say it anyway. You think you have a crap job? 

Dave Bittner: (Laughter) Right, right. Exactly. So these folks would come around. It was sort of a horse and carriage type of thing, horse and wagon thing. And they'd come around, and they'd empty it out. And they, in this case, take it down to the harbor and just dump it in the harbor. So there's a strata of that stuff in the harbor for someone to dig out someday. And actually, another little tidbit is one of the reasons that Baltimore was one of the last cities to hook up is there was quite a lot of resistance from the wealthier, tonier parts of town to be hooked up to a common system with the poor people. They were afraid something might flow the other direction and they might get sick from being connected with all of those others. 

Ben Yelin: Interesting. I have to say, that is a very common concern. And it probably relates to the topic we're talking about more than our listeners might think. 

Dave Bittner: Yeah, yeah. But my point is that there came a point when the city did install citywide sewer system, and it's hard to imagine any community without that these days. So is that an example of something that went from being in the private sector to something being considered a public good? 

Ben Yelin: Yeah. I mean, there are a lot of things like that. Transportation is another one. I'm not a transportation history buff, but you used to have a lot of private railways. They all ended up getting unified under one government system. We can certainly have arguments about whether that improved services or not. But yeah, we have seen that in other sectors as well. 

Dave Bittner: Yeah. Yeah. I guess personally, I like the idea of there being sort of ubiquitous, common, minimal level of broadband available for anyone that's provided by your government, be it local government, federal government. But then if you really need the high-speed stuff or you want to upgrade, well, then maybe that's where you reach out to your cable providers, and they can provide a premium service. 

Ben Yelin: Absolutely. And I think at this point, you have to consider it a public good because it is so essential to provide the services of public goods, most notably in our era, public education. So, you know, I think you can't look at it outside the context of what's been happening over the past year, where people have been engaged in online learning. 

Dave Bittner: Yeah. 

Ben Yelin: And that just illustrates that we shouldn't be at the whims of these cable companies when we're talking about something that's so crucial to public life. 

Dave Bittner: Yeah. All right. Well, the article is over on the Protocol website, again, written by Issie Lapowsky. And we'll have a link to that in the show notes, of course. We would love to hear from you. If you have a question for us, you can call in. Our number is 410-618-3720. Or you can send us an email. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Marijus Briedis. He is from NordVPN. And we discussed their 2021 online banking privacy trends survey. Here's my conversation with Marijus Briedis. 

Marijus Briedis: We wanted to do the report about the banking industry as a whole and how the users interact with it. And the key insights here is that we found out that people and the majority of Americans use banking apps and - but they don't trust them. That was a really interesting insight from their perspective. Another one - that Americans' online behavior are inconsistent. And one-third of them have accessed their bank's accounts while they're connected through public Wi-Fi despite the warnings of doing so. And the third one is really pleasant for me because I know that people take care of their security, and they said that they're - consider a secure connection is essential when they're working from home or outside the home. 

Dave Bittner: Well, I mean, let's dig into some of the details here. When it comes to online banking, where do we stand? What are some of the percentages that you all were able to reveal here in the survey? 

Marijus Briedis: We can deep dive into millennials and G-Y for example, and we see that they are slightly more concerned about security than other cohorts. And other interesting fact that we found out - that boomers, for example, they are the most concerned about security in general. They confirmed that they never check their bank account while on public Wi-Fi. So that's a really interesting story. 

Dave Bittner: Why do you suppose it is that folks don't have a high level of trust for their banking apps? 

Marijus Briedis: Data breaches, it's kind of a new politic that we have today. For example, I was searching today and found out that we had about 80 major breaches into 2020. And about 330 million people we have put at risk of identity and theft, for example. And we have such attacks like ransomware, unconventional stuff, malware and so on. And I was looking what is going on in 2021. So we had 24 really big breaches so far. We started with Ubiquiti routers, as you may know, and ended up with Clubhouse scraping data. So in general, I think people see these and think that their account could be compromised throughout data breaches. 

Dave Bittner: Yeah. It was fascinating to me that one of the things that your research revealed here was that a lot of people are out there, they're checking their bank accounts every day for potential bad actions. 

Marijus Briedis: Yeah. I use my banking app every day. And usually, I'm not so much into checking about the breaches every day. I use automated tools. But we can see that a lot of people don't trust their banks and the banking apps in general. That was a fascinating fact for me, too. 

Dave Bittner: Let's talk a little bit about this notion of where we stand when it comes to public Wi-Fi. I mean, one of the things the report points out is that a lot of folks are still doing things like their online banking with public Wi-Fi. Can you describe to us why is this an issue? I would imagine that - I mean, if you're creating a banking app these days, you must be using some sort of encryption between the app and the bank. So what is - what are we putting at risk here? 

Marijus Briedis: Yeah, of course. When you are creating a banking app or a new fine tech app or whatever it would be these days, you are making sure that you have at least DLS connection to the server, to the backend, right? But when you are on the public Wi-Fi, you never know what's going on with your traffic in there. You know that it's encrypted, but for example, nowadays, these apps are still not using DNS or HTPS (ph) or DNS or TLS. They are not encrypted (ph) their DNS traffic. So it's really easy for attacker (ph), especially if they have the root privileges of the router to see when you are using your banking app and conduct various attacks on it. 

Dave Bittner: So they can see basically - I don't know - taking advantage of the metadata of knowing who you're connecting to when, that perhaps they would pay special attention to the traffic that they know is likely to have something to do with financial transactions. 

Marijus Briedis: Yes, exactly. So I was checking my banking app today, too - what I'm using. To be honest, two banking apps. And I saw that neither of them are doing the encryption of DNS traffic. So I was really surprised about it. And when you put a simple VPN connection on it, like a second layer of security, you cannot see this traffic. Everything is encrypted. 

Dave Bittner: And, obviously, you and your colleagues there at NordVPN are in the VPN business. Do you want to give us the quick description of, what are the benefits there for folks enabling a VPN? 

Marijus Briedis: So as I mentioned before, you are just enabling another layer of security on all traffic as a whole, right? When, for example, you are using your mobile phone, you can just quick connect to our nearest server that is near you and make sure that your traffic is encrypted, like the second layer of security. And even any traffic that goes outside of your mobile phone or computer or any other device that you're using VPN with is encrypted then. For example, it's really hard to do man-in-the-middle of attacks through even public Wi-Fi or other means of network. 

Dave Bittner: Yeah, it's kind of like - I don't like to think of it as just kind of like installing that second deadbolt lock on the front door of your house. You know, you may already have a lock, but, you know, why not? It's not a whole lot of extra effort. So why not have that second lock for a little - you know, let you sleep a little more soundly at night? 

Marijus Briedis: Yes, exactly. 

Dave Bittner: Was there anything in particular that you found surprising in the numbers that you got back here from this research? 

Marijus Briedis: It was really surprising for me that users doesn't trust their banking apps - right? - in general. So they're using them daily - on a daily basis like I do. But most of them doesn't trust them. And I can see why because we've seen a lot of targeted attacks to mobile banking customers in recent years, mainly through ad-based banking Trojans or big banking apps in general. So usually, banking Trojans are really tedious, and they try to make users install, pretending some kind of other fun or usable software - think here about games, battery managers, power boosters and etc. So - and when they strike, they strike unexpectedly, too. They are trying just to kind of take over and steal credentials. Other things that is fascinating for me is fake banking apps. So they are more straightforward. They try to convince you that they are a real deal and try to steal credentials, too. So I think people are aware of these attacks, and that's why they are not trusting the banking apps in general. 

Dave Bittner: Yeah, that's fascinating to me. I mean, I wonder what the - what could the banks do to instill more trust in their users? You know, I think about how you have to walk that fine line between demonstrating to your users that the app is secure but also not throwing up too many roadblocks that people get frustrated with the hoops they have to jump through to enable that security. 

Marijus Briedis: I think it should be - it should go both ways, to be honest. Banks always invest into their security. We know that they are certified and do the latest certifications, including modern software - secure software development cycles and so on. But education is really important here, and educating their users should be a part of their daily business, I think. And for example, today, I got a push notification from my bank that there is some kind of phishing campaign going on with this bank. And just take care and don't give anything or other credentials to nonbank people that are not working in the bank. So I think it's really important not to have, like, big and good threat intelligence in-house, but don't forget to educate the users because knowledge is the best prevention, in my opinion. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: Really interesting interview. One of the things that you brought up, which I think is so important in all of these considerations, is the balance between having these extra security measures and convenience because for most people, you might reach a point where these extra security measures become such an annoyance that they opt for some sort of application that doesn't have any security features. So if you're forced to go through multifactor authentication every time you want to log into your bank, that's a best practice. But for a person who's not plugged into the world of cybersecurity, that might just be kind of an unnecessary annoyance. And you might download the trendy app, where - it doesn't require face ID or fingerprints or whatever every time you log in. 

Dave Bittner: Right. 

Ben Yelin: So I just - I thought that was a really important and interesting thing to come out of that discussion. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Marijus Briedis from NordVPN. You can check out their online banking privacy trends survey. That is over on their website. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.