Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Ron Teicher
Ron Teicher
Connect Directly
E-Mail vvv

GDPR, WHOIS & the Impact on Merchant Risk Security Monitoring

The EU's General Data Protection Regulation will make it harder for law enforcement, forensic investigators, and others to track down everything from credit card fraud to child porn rings.

On May 25, the rock is set to meet the hard place — and what happens when the two clash is anyone's guess. That's the date that the EU's GDPR goes into effect — and when WHOIS, the domain information lookup service, may be forced to stop publishing data about the owners of websites that are owned or associated with persons in the European Union. As a result, law enforcement, forensic investigators, and others seeking to track down bad actors such as money launderers, hackers, and child pornographers will no longer be able to rely on what has been a default tool for such investigations.

The General Data Protection Regulation (GDPR) is the European Union's grand plan to preserve the privacy of individuals and businesses in Europe. An evolution of the Union's original 1995 Data Protection Directive adopted at a time when the Internet was in its infancy, the GDPR aims to ensure that privacy remains intact, despite new technologies.

Those technology changes include the emergence of big data, artificial intelligence, and machine learning — technologies that make it much easier to identify individuals or entities. Even if the data is anonymized, the enormous number of data points available makes identifying those individuals or entities a relatively simple matter. A prominent rule in GDPR is that data associated with EU "natural persons," or data that passes through EU-based servers, is subject to enhanced privacy rules.

What does this have to do with WHOIS? Simply, WHOIS — via its controlling organization called Internet Corporation for Assigned Names and Numbers (ICANN) — publishes identification data for registered domain owners. If ICANN wants to do business with the EU, its "natural persons," or entities that store data on servers accessed from the EU, it can no longer do so without making major changes.

The problem here is that cybersecurity and anti-cybercrime organizations have built much of their investigation models on WHOIS data. There are many other paid services, as well as customized tools based on WHOIS data, that enable organizations to track down criminals, or even shut down their operations.

For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions. Tools using information from the WHOIS database have been used to successfully track down everything from credit card fraud to child porn rings. Based on the current interpretation of how the GDPR privacy rules are to be applied, the services that allow law enforcement and security personnel to stop spam, malware, credit card fraud, child porn, and a host of other illegal activities will no longer be readily available.

ICANN is currently trying to work out a solution that will comply with GDPR regulations yet still enable it to provide information, especially for cybersecurity purposes (as it has for at least a year). Some ideas have been proposed, but so far an acceptable solution to both sides has not been developed. A proposed timeline sees ICANN coming up with a potential GDPR-approved solution in May 2019 — a year after the rules go into effect.

Whatever the solution, one thing is clear: organizations that depend on access to WHOIS data will have major challenges that will require either extensive bureaucracy or court orders and subpoenas to track down identity information on bad actors.

If using registration information is out of bounds, companies will have to dig deeper to track down hackers and cyber thieves. One way they can do that is via comprehensive, big data–based analysis of relationships of all websites to prevent sophisticated cybercrime, such as electronic money laundering or transaction laundering. Transaction laundering occurs when an undisclosed business uses an approved merchant's payment credentials to process payments for another undisclosed store selling unknown products and services.

This advanced online fraud scheme takes advantage of legitimate payment ecosystems by funneling unknown e-commerce transactions through legitimate merchant accounts. Valid websites act as payment processing storefronts for criminal enterprises selling firearms, illicit drugs, child pornography, and other illegal goods.

For merchants worried about credit card fraud and transaction laundering, a big data analysis system has the ability to detect hidden connections across online entities. The same tactics could apply to spam attacks, ransomware attacks, or any other unwanted activity. Comprehensive and continuous monitoring of big data can lead to insights on the identification and activities of bad actors hiding behind the scenes.

The inevitable changes to WHOIS exposes the real issue for companies that have relied on its service for so many decades. Although WHOIS has become a trusted online resource, it is not and has not been a complete, dynamic force fighting the ever-evolving world of cybercrime. The usefulness of WHOIS for data was already being called into question by the increased usage of masking services and incomplete or fake registration data. If cybercriminals are leveraging advanced technology, shouldn't we be doing the same to stop them?

These affected industries are now faced with the responsibility to share intelligence and pursue comprehensive solutions that keep pace with advanced technology while remaining compliant with newly enforced regulations.

For law enforcement and those concerned with the prevention of cyber fraud, understanding the WHOIS versus GDPR issue is crucial. These organizations will need to find new tools and practices that can replace or enhance the service WHOIS once provided.

Related Content:


Ron Teicher is the CEO and founder of EverCompliant. Ron has served as a CEO of EverCompliant since its inception. Before founding EverCompliant, Ron led the compliance initiatives at Sanctum and Watchfire (acquired by IBM). Watchfire's compliance product won SC Magazine's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.