Cloud

5/24/2018
02:30 PM
Ron Teicher
Ron Teicher
Commentary
Connect Directly
LinkedIn
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR, WHOIS & the Impact on Merchant Risk Security Monitoring

The EU's General Data Protection Regulation will make it harder for law enforcement, forensic investigators, and others to track down everything from credit card fraud to child porn rings.

On May 25, the rock is set to meet the hard place — and what happens when the two clash is anyone's guess. That's the date that the EU's GDPR goes into effect — and when WHOIS, the domain information lookup service, may be forced to stop publishing data about the owners of websites that are owned or associated with persons in the European Union. As a result, law enforcement, forensic investigators, and others seeking to track down bad actors such as money launderers, hackers, and child pornographers will no longer be able to rely on what has been a default tool for such investigations.

The General Data Protection Regulation (GDPR) is the European Union's grand plan to preserve the privacy of individuals and businesses in Europe. An evolution of the Union's original 1995 Data Protection Directive adopted at a time when the Internet was in its infancy, the GDPR aims to ensure that privacy remains intact, despite new technologies.

Those technology changes include the emergence of big data, artificial intelligence, and machine learning — technologies that make it much easier to identify individuals or entities. Even if the data is anonymized, the enormous number of data points available makes identifying those individuals or entities a relatively simple matter. A prominent rule in GDPR is that data associated with EU "natural persons," or data that passes through EU-based servers, is subject to enhanced privacy rules.

What does this have to do with WHOIS? Simply, WHOIS — via its controlling organization called Internet Corporation for Assigned Names and Numbers (ICANN) — publishes identification data for registered domain owners. If ICANN wants to do business with the EU, its "natural persons," or entities that store data on servers accessed from the EU, it can no longer do so without making major changes.

The problem here is that cybersecurity and anti-cybercrime organizations have built much of their investigation models on WHOIS data. There are many other paid services, as well as customized tools based on WHOIS data, that enable organizations to track down criminals, or even shut down their operations.

For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions. Tools using information from the WHOIS database have been used to successfully track down everything from credit card fraud to child porn rings. Based on the current interpretation of how the GDPR privacy rules are to be applied, the services that allow law enforcement and security personnel to stop spam, malware, credit card fraud, child porn, and a host of other illegal activities will no longer be readily available.

ICANN is currently trying to work out a solution that will comply with GDPR regulations yet still enable it to provide information, especially for cybersecurity purposes (as it has for at least a year). Some ideas have been proposed, but so far an acceptable solution to both sides has not been developed. A proposed timeline sees ICANN coming up with a potential GDPR-approved solution in May 2019 — a year after the rules go into effect.

Whatever the solution, one thing is clear: organizations that depend on access to WHOIS data will have major challenges that will require either extensive bureaucracy or court orders and subpoenas to track down identity information on bad actors.

If using registration information is out of bounds, companies will have to dig deeper to track down hackers and cyber thieves. One way they can do that is via comprehensive, big data–based analysis of relationships of all websites to prevent sophisticated cybercrime, such as electronic money laundering or transaction laundering. Transaction laundering occurs when an undisclosed business uses an approved merchant's payment credentials to process payments for another undisclosed store selling unknown products and services.

This advanced online fraud scheme takes advantage of legitimate payment ecosystems by funneling unknown e-commerce transactions through legitimate merchant accounts. Valid websites act as payment processing storefronts for criminal enterprises selling firearms, illicit drugs, child pornography, and other illegal goods.

For merchants worried about credit card fraud and transaction laundering, a big data analysis system has the ability to detect hidden connections across online entities. The same tactics could apply to spam attacks, ransomware attacks, or any other unwanted activity. Comprehensive and continuous monitoring of big data can lead to insights on the identification and activities of bad actors hiding behind the scenes.

The inevitable changes to WHOIS exposes the real issue for companies that have relied on its service for so many decades. Although WHOIS has become a trusted online resource, it is not and has not been a complete, dynamic force fighting the ever-evolving world of cybercrime. The usefulness of WHOIS for data was already being called into question by the increased usage of masking services and incomplete or fake registration data. If cybercriminals are leveraging advanced technology, shouldn't we be doing the same to stop them?

These affected industries are now faced with the responsibility to share intelligence and pursue comprehensive solutions that keep pace with advanced technology while remaining compliant with newly enforced regulations.

For law enforcement and those concerned with the prevention of cyber fraud, understanding the WHOIS versus GDPR issue is crucial. These organizations will need to find new tools and practices that can replace or enhance the service WHOIS once provided.

Related Content:

 

Ron Teicher is the CEO and founder of EverCompliant. Ron has served as a CEO of EverCompliant since its inception. Before founding EverCompliant, Ron led the compliance initiatives at Sanctum and Watchfire (acquired by IBM). Watchfire's compliance product won SC Magazine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1265
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740.
CVE-2017-1272
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 124747. IBM X-Force ID: 124747.
CVE-2017-1597
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 132610.
CVE-2018-1889
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080.
CVE-2018-1891
PUBLISHED: 2018-12-17
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082.