The GDPR (General Data Protection Regulation) is supposed to help individuals keep their information private, but as it turns out, it could also potentially serve to help attackers as well.
In a session at the Black Hat USA conference in Las Vegas, titled, "GDPArrrrr: Using Privacy Laws to Steal Identities", James Pavur, DPhil student and Rhodes Scholar at Oxford University, outlined how he was able to abuse a key component of the GDPR to get access to personally identifiable information for his fiance.
Pavur said that there are multiple exploitable properties of GDPR, that a social engineering attacker could seek to exploit. The first is fear of non-compliance, since GDPR prescribes large fines if there is a violation.
GDPR also has tight timelines for disclosure and compliance which puts pressure on organizations. There is also a certain amount of ambiguity in the actual language of the regulation. Finally, much of the response to GDPR requests involves humans due to the complexity of the process.
The weak point in GDPR targeted by Pavur is the Right of Access provision, which gives European citizens the right to request all of their data from a given provider that holds information on them.
Using a simple email, that included basic information, such as name, email and phone number, Pavur sent off requests to over 150 organizations to see what kind of response he could get, and ended up getting some surprising results.
While 39 percent of requests were denied, with providers requiring stronger forms of identification than just an email and a phone number, 24 percent of providers gave Pavur the information he requested, while an additional 16 percent accepted the request but ask for an additional weaker form of authentication which he was able to provide.
Only 13 percent of organizations just ignored the request outright, while shockingly three percent ended up deleting the account in question, rather than have to deal with the request at all. Pavur said that the account deletion was not something he had expected and could potentially be used as a form of identity denial of service attack.
The ambiguity in the GDPR language is that the regulations state that the requestor has to provide "reasonable" ID verification. Different organizations asked for different verification, ranging from something as simple as a signed letter or even just being able to answer a knowledge question about the user. Fundamentally though, Pavur said that most organizations simply just don't have the ability to verify the documentation that they ask for in any case.
The information that Pavur was able to get from his data requests also varied, with a major hotel chain for example providing data about all of the target user's stays at the hotel. Another provider sent him more sensitive information including the target's social security number.
While there are challenges with GDPR's Right of Access, Pavur also provided a few recommendations for what organizations can do to help protect themselves and their users information from fraudulent data requests.
The first and most basic suggest Pavur offered is for companies to just say no to suspicious GDPR data requests. He said that potentially if the request is real, it could land the provider in a court room, but it's better than giving out customer information to an attacker. He added that if the provider is also able to demonstrate that they were acting in good faith, the risk is also reduced.
Pavur also suggested that for legislators, it's important to clarify what appropriate forms of identity are and it's also critical to provide government-mediated identity verification services.
"The core point is that privacy laws should enhance privacy not endanger it," he said.