nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

GDPiRated – Stealing Personal Information On- and Offline

verfasst von : Matteo Cagnazzo, Thorsten Holz, Norbert Pohlmann

Erschienen in: Computer Security – ESORICS 2019

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The European General Data Protection Regulation (GDPR) went into effect in May 2018. As part of this regulation, the right to access was extended, it grants a user the right to request access to all personal data collected by a company about this user. In this paper, we present the results of an empirical study on data exfiltration attacks that are enabled by abusing these so called subject access requests. More specifically, our GDPiRate attack is performed by sending subject access requests (as demanded by the GDPR) with spoofed recipient addresses either in the on- or offline realm. Our experimental results show that entities accepting and processing offline requests (e.g., letters) perform worse in terms of ensuring that the requesting entity is the correct data subject. The worrying finding is that affected organizations send personal data to unverified requests and therefore leak personal user data. Our research demonstrates a novel attack on privacy by abusing a right the GDPR tries to protect.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel An Efficiently Searchable Encrypted Data Structure for Range Queries

Nächstes Kapitel Location Privacy-Preserving Mobile Crowd Sensing with Anonymous Reputation

Nur mit Berechtigung zugänglich

Bailey, M., Dittrich, D., Kenneally, E., Maughan, D.: The menlo report. IEEE Secur. Priv. 10(2), 71–75 (2012)CrossRef

Bélanger, F., Crossler, R.E.: Privacy in the digital age: a review of information privacy research in information systems. MIS Q. 35(4), 1017–1042 (2011)CrossRef

Benenson, Z., Gassmann, F., Landwirth, R.: Unpacking spear phishing susceptibility. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 610–627. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_39CrossRef

Bundeskriminalamt: Festnahme eines Tatverdächtigen im Ermittlungsverfahren wegen des Verdachts des Ausspähens und der unberechtigten Veröffentlichung personenbezogener Daten, January 2019. https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2019/Presse2019/190108_FestnahmeDatenausspaehung.html

Cagnazzo, M., Pohlmann, N.: Using geolocation data as a threat enlargener for social engineering attacks. In: DACH Security (2019)

Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2013)CrossRef

Chen, M., Cheung, A.S.Y., Chan, K.L.: Doxing: what adolescents look for and their intentions. Int. J. Environ. Res. Public Health 16(2), 218 (2019)CrossRef

Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security (NDSS) (2018)

Dittrich, D., Kenneally, E.: The menlo report: ethical principles guiding information and communication technology research. Technical report, US Department of Homeland Security (2012)

10.

Douglas, D.M.: Doxing: a conceptual analysis. Ethics Inf. Technol. 18(3), 199–210 (2016)CrossRef

11.

Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401 (2016)

12.

Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: International Conference on World Wide Web, WWW 2015, pp. 289–299 (2015)

13.

European Commission: Special eurobarometer 431: Data protection, July 2015. http://data.europa.eu/euodp/en/data/dataset/S2075_83_1_431_ENG

14.

European Union: Council regulation art. 12 regulation (eu) 2016/679 (2016)

15.

European Union: Council regulation art. 15 regulation (eu) 2016/679 (2016)

16.

European Union: Council regulation art. 25 regulation (eu) 2016/679 (2016)

17.

European Union: Council regulation art. 4 regulation (eu) 2016/679 (2016)

18.

European Union: Council regulation art. 9 regulation (eu) 2016/679 (2016)

19.

Fuentes, M.R.: Cybercrime and other threats faced by the healthcare industry. Trend Micro (2017)

20.

Geodakyan, G.S., Yen, Y.J.S., Foss, R.A., Hardy, J., Broen, W.D., Born, N.M.: Method and system for combining offline and online identities with associated purchasing intention indicators in view of a geographic location, US Patent App. 15/712,036, 18 September 2018

21.

Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: Symposium on Usable Privacy and Security (SOUPS), pp. 321–340 (2016)

22.

Gruss, D., et al.: Use-after-freemail: generalizing the use-after-free problem and applying it to email services. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 297–311. ACM (2018)

23.

Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 531–548 (2018)

24.

Hern, A.: Fitness tracking app Strava gives away location of secret US armybases. Guardian, 28 (2018)

25.

Hertlein, M.: Digitale identitäten erfolgreich schützen, April 2019. https://www.security-insider.de/digitale-identitaeten-erfolgreich-schuetzen-a-821563/

26.

Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: 27th USENIX Security Symposium, pp. 1095–1112 (2018)

27.

Jansen, F.: Verdächtiger nennt Ärger über Politiker als Motiv für Datenklau, January 2019. https://m.tagesspiegel.de/politik/datendiebstahl-verdaechtiger-nennt-aerger-ueber-politiker-als-motiv-fuer-datenklau/23838452.html

28.

Jensen, C., Potts, C.: Privacy policies as decision-making tools: an evaluation of online privacy notices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2004, pp. 471–478 (2004)

29.

Klensin, J., Freed, N., Rose, M., Stefferud, E., Crocker, D.: SMTP service extensions. Technical report, RFC 2846, November 1995

30.

Linden, T., Harkous, H., Fawaz, K.: The privacy policy landscape after the GDPR. arXiv preprint arXiv:1809.08396 (2018)

31.

Ponemon Institute, LLC: The race to GDPR: a study of companies in the United States & Europe. Technical report, McDermott Will & Emery LLP (2018)

32.

Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR right of access. In: Symposium on Usable Privacy and Security (SOUPS) (2019)

33.

Matwyshyn, A.M., Cui, A., Keromytis, A.D., Stolfo, S.J.: Ethics in security vulnerability research. IEEE Secur. Priv. 8(2), 67–72 (2010)CrossRef

34.

Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)CrossRef

35.

Mueller, R.: Report on the investigation into Russian interference in the 2016 presidential election. US Dept. of Justice. Washington, DC (2019)

36.

Ollmann, G.: The phishing guide-understanding & preventing phishing attacks. NGS Software Insight Security Research (2004)

37.

Österreich, N.: Entwurf bundesgesetz über sorgfalt und verantwortung im netz (2019). https://cdn.netzpolitik.org/wp-upload/2019/04/Digitales-Vermummungsverbot-Gesetzesentwurf.pdf

38.

Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018)CrossRef

39.

Pascual, A., Marchini, K.: 2018 child identity fraud study, April 2018. https://www.javelinstrategy.com/coverage-area/2018-child-identity-fraud-study

40.

Pollach, I.: What’s wrong with online privacy policies? Commun. ACM 50(9), 103–108 (2007) CrossRef

41.

Proofpoint: Social media brand protection fraud (2017). https://www.proofpoint.com/sites/default/files/pfpt-en-social-media-protection-brand-fraud-report.pdf

42.

Protenus: 2017 breach barometer annual report (2017). https://www.protenus.com/2017-breach-barometer-annual-report

43.

Rasthofer, S., Huber, S., Arzt, S.: All your family secrets belong to us - worrisome security issues in tracker apps. In: DEF CON 26 (2018)

44.

Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Presented as part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI), pp. 155–168 (2012)

45.

Schneier, B.: Doxing as an attack, January 2015. https://www.schneier.com/blog/archives/2015/01/doxing_as_an_at.html

46.

Secureworks Counter Threat Unit Threat Intelligence: Threat Group 4127 Targets Hillary Clinton Presidential Campaign, June 2016. https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign

47.

Seymour, J., Aqil, A.: Your voice is my passport. In: DEF Con 26 (2018)

48.

Snyder, P., Doerfler, P., Kanich, C., McCoy, D.: Fifteen minutes of unwanted fame: detecting and characterizing doxing. In: Internet Measurement Conference, IMC 2017, pp. 432–444 (2017)

49.

New York Times: An old swindle revived, March 1898. https://www.nytimes.com/1898/03/20/archives/an-old-swindle-revived-the-spanish-prisoner-and-buried-treasure.html

50.

TrendLabs Security Intelligence: Operation Pawn Storm Ramps Up its Activities. Targets NATO, White House (2015)

51.

Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: The unwanted sharing economy: an analysis of cookie syncing and user transparency under GDPR. arXiv preprint arXiv:1811.08660 (2018)

52.

Web Investigations: Investigation and Doxing Prices, July 2019. https://doxanybody.wordpress.com/category/investigation-and-doxing-prices/

53.

Yeboah-Boateng, E.O., Amanor, P.M.: Phishing, smishing & vishing: an assessment of threats against mobile devices. J. Emerg. Trends Comput. Inf. Sci. 5(4), 297–307 (2014)

Titel: GDPiRated – Stealing Personal Information On- and Offline
verfasst von: Matteo Cagnazzo
Thorsten Holz
Norbert Pohlmann
Verlag: Springer International Publishing
Buch: Computer Security – ESORICS 2019
Print ISBN: 978-3-030-29961-3

Electronic ISBN: 978-3-030-29962-0

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-29962-0_18

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner