When no one wants to risk an EU fine...
Source:
What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others.
That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance—and co-author on their paper—Casey Knerr made an unusual wager about using GDPR's right of access requests—a mechanism that allows Europeans to ask any company about what data they have on themselves—with the goal of extracting sensitive information.
He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data—such as home addresses—he found through the first wave of requests using an email address designed to look like that of Knerr.
Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services.
According to Pavur and Knerr, 25 percent of companies he contacted never responded. Two thirds of companies, including online dating services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.
In the future, Pavur hopes regulators will give companies more strict verification requirements. And perhaps even create government agencies that can verify documents like passports, which would solve the problem of a consumer having to send their documents to companies.
"So instead of me sending my passport to a shoe store I would send it to a government store that would send a 'yes' or 'no' answer to a shoe store about whether or not that was a real passport. I think that has the benefit of a strong form of identity without the risk of sharing it to just whoever asks for it," Pavur said. "I trust them a little bit more than random shoe store."
Source: