back to article Crooks use fake emergency data requests to get personal info out of Big Tech – report

Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook's parent company Meta, were victims of this fraud. Both Apple and Meta handed over users' addresses, phone numbers, and IP addresses in …

  1. Paul Hovnanian Silver badge

    Certainly, officer

    We will call you right back with the requested information via land line at your publicly listed number.

    1. DS999 Silver badge

      Re: Certainly, officer

      From articles I read elsewhere it sounds like the EDR process for most companies is electronic not over the phone. So send an email, it is checked (probably via some automated script with a whitelist) to see if it is legit, and a reply is sent with the desired info.

      It sounds like in many of these cases, the cop email server was hacked, so the bad guys were able to send a request and intercept the reply.

      I guess what they need to do is set up a web portal using 2FA to make a request, and when the info is available the email will only say "requested info for EDR #0023 is available" and you need to login again with 2FA to retrieve it. And the second factor should not be SMS!

    2. iron Silver badge

      Re: Certainly, officer

      Give that a try in the UK, they don't have publicly listed numbers any more.

      There is a large Police station 5 minutes walk from me but if I want to talk to an officer, even if it isn't an emergency 999 type situation, I have to phone a national number where the call centre operator will not have a clue where I am, what I'm talking about or that there are officers just minutes away.

      1. MachDiamond Silver badge

        Re: Certainly, officer

        "Give that a try in the UK, they don't have publicly listed numbers any more."

        Well, it sounds like they need a publicly listed "business/non-emergency" line and a way to switch idiots who call the line with an emergency. What if a delivery driver is standing outside the building and the door is locked? It would be handy to have a number to call to say "I'm standing outside with your box of stuff, can somebody let me in?"

        Another alternative is a central clearing house so requests are going through some facility with a listed number and not originating from a non-listed facility.

        These requests should be so rare that some personal handling is not an issue. I ask my customers to call me (no text or email) if they have an immediate need. If I'm driving or doing something where I can't pull up a written message, at least they will know they've conveyed the information to me. I might be on holiday with no phone/comms.

        I'd think the holder of the data needs to cover their backside and make sure if they are divulging protected/sensitive data, that they've made sure they aren't going to be in called into court over violating data security laws.

        1. Flywheel
          Thumb Down

          Re: Certainly, officer

          Well, it sounds like they need a publicly listed "business/non-emergency" line

          I think you mean 101. Your call is important to us - hope you can wait 45 minutes for the next box-ticking agent to talk to you?

      2. TimMaher Silver badge
        FAIL

        Re: Public number

        Ours does.

        It is for our main police station, not the temporarily manned desk at the council office, but it does work.

        I have used it more than once for non-emergency conversations.

      3. Paul Hovnanian Silver badge

        Re: Certainly, officer

        "Give that a try in the UK, they don't have publicly listed numbers any more."

        0118 999 881 99 9119 7253

    3. PRR Bronze badge
      Big Brother

      Re: Certainly, officer

      > We will call you right back with the requested information via land line at your publicly listed number.

      Yesterday we saw a drunk(?) driver in a heavy truck weaving ALL over the main highway, from ditch to oncoming. My co-pilot got on her cell-phone and called the city police main number. 10 minutes of menu-hell. Chief? AssChief? Press officer? School liaison? And probably voice-mail boxes.

      She called 911 (our 999) and got someone kinda quick, but that's now a regional center who don't understand "Now passing Dunstall Diesel" or "Jordan's" (a notorious local hangout).

      There's 18,000 police departments in the United States. From 1-man forces to thousands of officers and as many non-officer clerks. No way to know who is legitimate, or if *this* request is really who it claims to be.

    4. Anonymous Coward
      Anonymous Coward

      Re: Certainly, officer

      For some departments that would work, but if the general idea is that this is an electronic process something different is called for. Good news: it's something we can do with today's technology.

      Require anyone wishing to issue EDRs to have a keypair, the public key published by the law enforcement organisation and the private key stored in an HSM accessible only to the chief and 2 assistants (or equivalent positions). If it's truly an emergency, there won't be any trouble getting one of the designated people to show up in person and authorise the signing of the EDR. This could even be done using 2-person control so that there are always (for larger law enforcement organisations, at least) at least 2 authorised officers on site to sign them. Received an EDR that's unsigned or wasn't signed by the requesting agency's private key? Disregard and report it to the misrepresented agency and a central clearinghouse. EDR issuance should also be audited annually or more often by a superior law enforcement agency and published openly; the HSM can be used to verify the reported data. Abuse or excessive use of this mechanism must result in dismissal and criminal penalties.

      Thing is, though, in most places it's possible for law enforcement officers to obtain a warrant at any time of day or night with little or no notice. It's unlikely that an EDR is going to be much faster than obtaining a proper warrant in the first place, especially since it relies on corporations notorious for providing no real support responding rapidly to an email. This should be a prove-it-or-lose-it situation: unless you can prove that the EDR process is definitely extending lives that could not have been extended through a lawful warrant process, you don't get to issue EDRs. Good luck with that. So the next obvious step is to combine EDR signing with warrant issuance: the judge holds the HSM.

      In the meantime I will continue not to share any useful personal information that is not already available in public records. These corporations have proven that they can't or won't protect it, so they don't get it. Anything law enforcement thinks they need to know about me, they are welcome to obtain from public records. Otherwise they can get a warrant.

  2. DS999 Silver badge

    What are these EDRs used for?

    I'd guess imminent threats of violence of suicide were the stated reasons for why you'd want to bypass judicial review. I sure hope there is judicial review after the fact to insure they aren't being misused as a way around normal procedure!

    1. cyberdemon Silver badge
      Holmes

      Re: What are these EDRs used for?

      Surely not! Our police are beacons of responsibility and professionalism. They would never, ever, abuse their warrant cards to, er, stalk, rape and murder someone.

  3. iron Silver badge
    Big Brother

    IP Address in an emergency?

    What kind of emergency situation that puts someone's safety at stake requires the Police to know their IP address? How will that help the person's safety?

    Sounds like another bullshit way for them to collect data without reasonable purpose or a warrant.

    1. Anonymous Coward
      Anonymous Coward

      Re: IP Address in an emergency?

      Yes. This is the kind of thing where enabling legislation must include a routine audit clause. Each year (or more often), all EDRs should be published openly along with their rationale and outcome, including a timeline. If the rationale doesn't stand up or there's no evidence that they're materially improving outcomes, they should be banned. Such a requirement will either encourage law enforcement to limit these requests to situations where they are truly necessary (likely a vanishingly small number) or expose abuses so the practice can be stopped.

    2. marcellothearcane

      Re: IP Address in an emergency?

      The request is probably something like "give me all the information you have on so-and-so, now" and IP addresses get carried along with that.

      In a genuine emergency, more data is probably better than not enough, especially as someone would have to sift through it to see what is relevant.

      1. Shalghar Bronze badge

        Re: IP Address in an emergency?

        "In a genuine emergency, more data is probably better than not enough, especially as someone would have to sift through it to see what is relevant."

        In a genuine emergency, getting flooded with irrelevant information and having to filter that heap of junk while the clock is ticking does not really help.

        After all those things are officially for time pressing emergencies where there is not enough time to care about the proper processes. Losing that little advantage to excessive flooding with spam, as the retainer of that info is likely to send all he has to comply with that EDR seems a bit contraproductive to me. So why those EDR do obviously not need to define the scope or targeted information is something i do not really understand. Add the fact that every company i know sorts any data they have in their own specific way and letting an outsider (officer) wade through that heap when searching for selected info seems even more inefficient.

        Imagine the following situation:

        "Hey farcebook, give me every info about mister culprit ASAP."

        "OK, here are 20 Terabytes with information. All family fotos, contact lists, likes and dislikes, visited forums and discussions, mothers blood type, grandfathers last will, every picture he has ever clicked......."

        Yes i exaggerate as the article rather unspecified speaks of personal information like adresses, but would any company really hold back on something if that EDR only has a "give me all you have" option ?

        Obviously, they dont...

    3. mark l 2 Silver badge

      Re: IP Address in an emergency?

      I can think of at least one emergency situation where someones IP/phone number would be needed ASAP so they can be located in the real world. And that would be if someone who posted on social media that they were about to take their own life or the life of others. Such as when those people post their manifesto online before they go off on a mass shooting or terrorist attack.

    4. MachDiamond Silver badge

      Re: IP Address in an emergency?

      "What kind of emergency situation that puts someone's safety at stake requires the Police to know their IP address?"

      If some sort of message has come in (bomb threat, etc) and all the filth have is an IP address to go on, it might be handy to backtrace that. It might also be useful to do the same thing in reverse if the perp is known and they need to find and monitor an IP address that they are using right at the moment.

  4. Anonymous Coward
    Anonymous Coward

    Meta

    Meat

    Your data is for general consumption…

  5. Kane Silver badge
    Boffin

    "stolen police email accounts"

    So, how does that work then? How is that even a thing?

  6. Mike 137 Silver badge

    "using stolen police email accounts"

    Sounds like there's some weak security and deficient monitoring somewhere, doesn't it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like