LAS VEGAS—The EU's General Data Protection Regulation has now been the law of the land for more than a year now, and it grants you the right to access any personal data a company or other entity holds about you, among other things.
But how are companies verifying that those data requests are legitimate? Some are not, as researcher James Pavur, a Rhodes Scholar at Oxford University, demonstrated here at Black Hat.
"I'm only here because of a bet," Pavur said this week. "My fiancée and I were sitting on an airport floor, grumbling about lack of seats and plane delays. She's a pen-tester, and she thought to get petty revenge on the airline by wasting its time with a GDPR privacy request, just as the airline was wasting our time. I said, 'Hey, I bet they won't check who the request came from. I bet I could steal your identity.' Two months later, I had a treasure trove."
Hacking the Law
"I approached the problem by thinking of the law as software," said Pavur. "Look for vulnerabilities, find a kill chain, weaponize an exploit, and exfiltrate the data."
Pavur pointed out four factors that make GDPR vulnerable: fear, pressure, ambiguity, and humanity. Companies fear the law because violations come with huge fines. They're under pressure because the law requires response to an access request within a short time. The law is necessarily ambiguous because it's ambitious, attempting to cover a diverse array of businesses. And these factors affect the humans involved—humans with the capacity to screw up.
"It's a perfect target for social engineering," concluded Pavur.
Pavur created a somewhat vague letter ostensibly from his fiancée. For proof of identity, he used public information including her full name, a fake email that looked like it could be hers, and her phone number. He sent it to 150 large organizations that might have her information, and sat back to wait.
Putting on the Pressure
Most of the organizations that responded asked for more proof of identity, but he took advantage of the fact that they're only allowed to ask for "reasonable" proof. An ad-tracking site that has data about you can't reasonably ask to see your passport.
Throughout this process, he used only information that a stranger could get. "About 16 percent of the respondents asked for ID that I thought I could forge," said Pavur, "but I didn't do that. Three or four companies saw GDPR in the letter and immediately deleted her account."
By stringing the companies along, or supplying identity data weaker than requested, Pavur heightened the time pressure. In many cases, the companies caved and didn't pursue further verification.
From one company, Pavur obtained his fiancee's Social Security number, date of birth, mother's maiden name, and high school grades. "All the company asked for was her name and email," said Pavur, "and the website suggests they have 10 million accounts."
From a financial company he got 10 digits of her credit cards. From a threat-tracking company he got her usernames and passwords to accounts that had been breached. A railroad company served up her history of train rides, and a hotel chain gave him information about all her visits.
What Can Be Done?
"Clearly this is unacceptable," said Pavur. "We need to make privacy laws that achieve their directives. There's a bill in the US that basically copy/pastes GDPR into US law. We don't want GDPR to become a model."
Pavur suggests that companies require those requesting their data to log in. If they can't, ask for a driver's license, and outsource verification of the license if necessary. Also, just say no to sketchy GDPR requests. Lawmen should reassure companies that rejecting legitimate but sketchy requests won't bite them.
Another possibility is a third-party verification service. "I don't send my passport to the shoe store," he said. "I send it to a service that verifies me to the shoe store."
Individuals need to be proactive about data hygiene. He pointed out that you should never trust knowledge-based authentication from unsolicited phone calls. "Even if someone calls and knows about your hotel stay or your train trip, it doesn't mean they are legitimate," Pavur pointed out. "The core point is that privacy laws should enhance privacy, not endanger it."