The GDPR came into effect last year in May. Since then, there have been many changes, with the most serious and obvious in daily surfing being the cookie banners that are now appearing everywhere. Another innovation is the right of access to personal data by users. Three studies now show that this attack allows attackers to steal data. GDPiRate was created by our founder Matteo Große-Kampmann.
GDPiRate and other attacks explained
Side channel attacks are actually nothing new in computer science. For example, we reported on the four attacks on Intel processors in April. Secret information, which is actually encrypted, is made available via side channels, for example the power consumption of a microchip. The GDPR has now also introduced a side channel, namely the retrieval of private information by unauthorized third parties. Actually, a “Subject Access Request” (SAR) runs like this:
- as a user I would like to have access to my data so I am writing an e-mail that I would like to make use of this right.
- either I get the data directly back to the mail or I am referred to a point within a portal where I can retrieve the data or it will be queried further “identification”.
So far, so simple. But what we have asked ourselves is: What if data is requested on behalf of another person?
Attacks like GDPiRate Show vulnerabilities in SAR processes
If we are referred to a function within the platform, such as Spotify or Facebook, then the private data is as secure as the passwords we give on the platform for login. This form of data query is probably the safest after all three studies. Digital native companies usually use this form of deployment.
Mariano di Martino shows in his detailed study on data retrieval in Belgium that many companies are not yet ready. Fifteen of the 41 companies it audited reveal private data on fake requests.
Pavur shows in his study that he published on the Blackhat that on 150 of his inquiries 72% of companies responded and shipped data.
Our co-founder Matteo specifically analyzed companies in Germany on their reaction and the results are also shocking. From 14 requested companies 10 send out private information spoofed.
What does GDPiRate mean for companies and users
Businesses need to better protect private user data from such foreign traffic. Although the response time to a one-month SAR is quite short, the results of all three studies are alarming. They show that very few companies have established processes or mechanisms to protect themselves against counterfeit SARs. A better mechanism for identifying users must be used. One possible solution could be XignQR from XignSys, which is currently being developed here in Gelsenkirchen.
The captured information is wonderfully suited for a targeted social engineering attack on individual users, one of the biggest cybersecurity risks currently. So an attacker does not need to do anything but fake SARs and send the results back to get information about his victims. He can choose whether financial, health or other information is relevant to him.
Users hardly have the opportunity to protect themselves efficiently. As a user, I can only deal with so-called “identity-creating characteristics”, such as the date of birth, even more sparingly and consider exactly where I reveal this information and who can see this information. The privacy settings of each platform can help make data visible only to specific people.
PS. Accounts that are no longer needed can be deleted with the help of our website cyberpflege.de. Data which are not available, can not get also into strange hands.
This post is also available in: Deutsch (German)