Security

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Revenge plan morphs into data leak discovery


Black Hat When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves.

In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.

"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

Pavur's research started in an unlikely place - the departure lounge of a Polish airport. After the flight he and his fiancée were supposed to travel on was delayed, they joked about spamming the airline with GDPR requests to get revenge. They didn't, but it sparked an idea to see what information you could get on other people and Pavur's partner agreed to act as a guinea pig for the experiment.

For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.

In addition, the type of people who handle GDPR requests are usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier.

Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.

Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.

Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.

Marketing biz bares folks' data in the act of asking for their GDPR comms preferences

READ MORE

A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined. But when one gaming company tried it, he simply said he'd forgotten the login and they sent it anyway.

The range of information the companies sent in is disturbing. An educational software company sent Pavur his fiancée's social security number, date of birth and her mother's maiden name. Another firm sent over 10 digits of her credit card number, the expiration date, card type and her postcode.

A threat intelligence company - not Have I been Pwned - sent over a list of her email addresses and passwords which had already been compromised in attacks. Several of these still worked on some accounts - Pavur said he has now set her up with a password manager to avoid repetition of this.

"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."

Fixing this issue is going to take action from both legislators and companies, Pavur said.

First off, lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests. One rail company was happy to send out personal information, accepting a used envelope addressed to the fiancée as proof of identity.

He suggested requesting account login details were a good idea, but there's always the possibility that such accounts have been pwned. A driver's licence would also be a good alternative, although fake IDs are rife.

Companies should be prepared to refuse information requests unless proper proof is required, he suggested. It may come to a court case, but being seen to protect the data of customers would be no bad thing. ®

Send us news
138 Comments

Spain, Austria not convinced location data is personal information

Privacy group NOYB sues to get telcos to respect GDPR data access rights

Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

Continue reading

Europe's GDPR coincides with dramatic drop in Android apps

Privacy rules increase cost, reduce choice, slash revenues, study concludes

Europe's data protection regime has reduced the number of apps available in Google Play by "a third," increased costs, and reduced developer revenues, according to a study published Monday.

And with higher costs, fewer apps are being created, to the detriment of consumers and the mobile app economy, it claims.

"At the start of our sample period in July 2016, our data on the contain 2.1 million apps in the Google Play Store, while AppBrain reported 2.2 million.26 The number of Play Store apps in our sample then rises to 2.8 million in the fourth quarter of 2017, then falls by almost one million – about 32 percent – by the end of 2018. Available apps in AppBrain saw a similar decline, by 31 percent between the beginning of 2018 and the end of 2018

Continue reading

Lawyers say changes to UK data law will make life harder for international businesses

Concerns raised over government drive to implement distinct post-Brexit policy

Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.

Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.

Continue reading

Tech pros warn EU 'data adequacy' at risk if Brexit Britain goes its own way

Show us that benefits outweigh the cost, BCS challenges government

BCS, The Chartered Institute for IT, has warned that proposed changes to Britain's data protection rules must not put the flow of data between the EU and the UK at risk.

The professional body said the supposed benefits of a leaner data protection regime – something the government promised last week – should not come at the expense of the UK's current "data adequacy" arrangement with the EU.

The UK remained compliant with the EU's General Data Protection Regulation (GDPR) when it formally left the EU at the end of 2020. Its interpretation of EU law meant that the trading bloc gave the UK an "adequacy" ruling, permitting data sharing across the border.

Continue reading

China's vice premier Liu He advocates technology and government cooperation

After years of crackdowns, Beijing changing its tune on the industry

The vice premier of China and Xi Jinping's economic right hand man, Liu He, has offered a rare show of support to China's tech industry – both domestic and abroad.

According to state-sponsored media, Liu told around 100 members of the Chinese People's Political Consultative Congress (CPPCC) it is important to have a good relationship between the government and tech, and to research and support specific measures that grow the platform economy.

"It is necessary to wage a successful battle for the strategic ground of critical core technologies," Liu said, according to Xinhua news agency.

Continue reading

AI-powered browser extension to automatically click away cookie pop-ups now promised

Tool disables non-essential tokens

A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.

The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.

When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.

Continue reading

Big Tech revenues under threat from EU law proposals

Digital Markets Act rules agreed, set to include fines of up to 10% of turnover and power to break up businesses

Sanctions for non-compliance with new EU powers could hit tech giants with fines of up to 10 percent of their worldwide turnover – that's around $21 billion in the case of dominant online retailer Amazon.

The political bloc's legislator has set out agreed rules to tackle dominance of big tech firms deemed "gatekeepers" because of their control over broad sets of services within their platforms.

Under Digital Market Act (DMA) outlined last night, the European Commission will have powers to designate companies as gatekeepers following a market investigation.

Continue reading

Android's Messages, Dialer apps quietly sent text, call info to Google

Hashed text, phone call logs collected without opt-out nor specific notice

Updated Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law.

According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.

"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google."

Continue reading

F-Secure spins out new enterprise security business: WithSecure

CEO tells The Reg of new branding ahead of Finnish vendor's corporate split

F-Secure's enterprise-facing business will have a new brand – WithSecure – and a sharpened focus when the company splits into two independent operations.

The move comes a month after the security vendor's board of directors revealed that the 34-year-old Helsinki-based company would carve out the consumer security business from its enterprise unit. The consumer business will retain the F-Secure name.

The final break will come this summer after a general meeting in May. The split is scheduled to complete on June 30.

Continue reading

UK criminal defense lawyer hadn't patched when ransomware hit

Brit solicitor fined after admitting it took 5 months to install critical update

Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.

The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

Continue reading