Hackers are effectively using fake 'emergency data requests' to steal IPS and telco customer data

If you want to know the SNS account owner or the Internet address used in the past on a specific mobile phone, a warrant / subpoena by a court is required in the United States, but in an emergency, the issuance of a warrant / subpoena is skipped. You can make Emergency Data Requests (EDRs) . According to security expert Brian Krebs, there are cases where hackers have abused this EDR to obtain data fraudulently.

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests” – Krebs on Security


Since EDR occurs when life-threatening or harm is imminent, the receiving company needs to respond as soon as possible. Hackers understand that there is no quick and easy way for companies to determine if an EDR is appropriate, and they impersonate police or government agencies to perform EDR and obtain data fraudulently. And that. Hackers need only one police email address, while the word 'police' has tens of thousands of jurisdictions worldwide and about 18,000 in the United States alone. Unauthorized access also makes it difficult to deal with.

Security expert Nicholas Weaver of the University of California, Berkeley states that one of the major challenges in the fight against EDR is 'the lack of a global online identity concept.' Weaver's solution was that the FBI would act as the sole identity provider for all state and local law enforcement agencies, but the FBI would immediately determine if the request from the local police was genuine. It's difficult to do, and 'it doesn't always work'.

The FBI itself has also been used by hackers to send fake emails.

FBI is hacked and used to send fake emails by hackers --GIGAZINE

However, information fraud using EDR is not common. This is because even in the crime hacking community, many people perceive it as 'too risky.'

in Security, Posted by logc_nt