The GDPR Is A Wide Open Vulnerability For Identity Fraud And Scams
from the how-does-this-help-privacy-again? dept
We’ve spent the last year and a half or so pointing out that, while it may have been well-intentioned, there are all sorts of consequences — whether intended or not — to the EU’s General Data Protection Regulation (GDPR), including giving more power to the giant internet companies (when many argued the GDPR was necessary to curb their power), censorship of media, and a way for the rich and famous to harass people. But, of course, some might argue that those are worthy trade-offs if it did a better job protecting people’s privacy.
About that… Last year, we pointed out that one consequence of the GDPR was that, in making it easy to “download” your data, it could open up serious privacy consequences for anyone who has their accounts hacked. In that story, we talked about someone having their Spotify account hacked, and having all the data downloaded — a situation that might not be that impactful. However, last week, at Black Hat, James Pavur, a PhD student at Oxford, explained how he exploited the GDPR to access a ton of private info about his fiancee.
In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fianc?e, including credit card and social security numbers, passwords, and even her mother’s maiden name.
“Privacy laws, like any other infosecurity control, have exploitable vulnerabilities,” he said. “If we’d look at these vulnerabilities before the law was enacted, we could pick up on them.”
In other words, in giving more “protection” over data, the EU has also opened up a new vulnerability. Here’s how it worked:
Over the space of two months Pavur sent out 150 GDPR requests in his fianc?e’s name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.
Interestingly, five per cent of responses, mainly from large US companies, said that they weren?t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.
Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fianc?e. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.
That last one is kind of fascinating. What companies delete the accounts of people making a GDPR request? At least some of the companies required login info, but Pavur noted that in one case, he told the company he’d forgotten the login… and they gave him the data anyway.
“An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her,” he said. “GDPR provided a pretext for anyone in the world to collect that information.”
This could be fixed, and one could argue that companies handing out this info without real proof of ID are, themselves, in violation of the GDPR. But, given that the GDPR is so strict — you have a very short time frame to return the info or face massive fines), the incentive structure is designed to ignore those formalities and just fork over the information — even if it’s right into the hands of a scammer.