Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Ron Teicher
Ron Teicher
Connect Directly
E-Mail vvv

GDPR, WHOIS & the Impact on Merchant Risk Security Monitoring

The EU's General Data Protection Regulation will make it harder for law enforcement, forensic investigators, and others to track down everything from credit card fraud to child porn rings.

On May 25, the rock is set to meet the hard place — and what happens when the two clash is anyone's guess. That's the date that the EU's GDPR goes into effect — and when WHOIS, the domain information lookup service, may be forced to stop publishing data about the owners of websites that are owned or associated with persons in the European Union. As a result, law enforcement, forensic investigators, and others seeking to track down bad actors such as money launderers, hackers, and child pornographers will no longer be able to rely on what has been a default tool for such investigations.

The General Data Protection Regulation (GDPR) is the European Union's grand plan to preserve the privacy of individuals and businesses in Europe. An evolution of the Union's original 1995 Data Protection Directive adopted at a time when the Internet was in its infancy, the GDPR aims to ensure that privacy remains intact, despite new technologies.

Those technology changes include the emergence of big data, artificial intelligence, and machine learning — technologies that make it much easier to identify individuals or entities. Even if the data is anonymized, the enormous number of data points available makes identifying those individuals or entities a relatively simple matter. A prominent rule in GDPR is that data associated with EU "natural persons," or data that passes through EU-based servers, is subject to enhanced privacy rules.

What does this have to do with WHOIS? Simply, WHOIS — via its controlling organization called Internet Corporation for Assigned Names and Numbers (ICANN) — publishes identification data for registered domain owners. If ICANN wants to do business with the EU, its "natural persons," or entities that store data on servers accessed from the EU, it can no longer do so without making major changes.

The problem here is that cybersecurity and anti-cybercrime organizations have built much of their investigation models on WHOIS data. There are many other paid services, as well as customized tools based on WHOIS data, that enable organizations to track down criminals, or even shut down their operations.

For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions. Tools using information from the WHOIS database have been used to successfully track down everything from credit card fraud to child porn rings. Based on the current interpretation of how the GDPR privacy rules are to be applied, the services that allow law enforcement and security personnel to stop spam, malware, credit card fraud, child porn, and a host of other illegal activities will no longer be readily available.

ICANN is currently trying to work out a solution that will comply with GDPR regulations yet still enable it to provide information, especially for cybersecurity purposes (as it has for at least a year). Some ideas have been proposed, but so far an acceptable solution to both sides has not been developed. A proposed timeline sees ICANN coming up with a potential GDPR-approved solution in May 2019 — a year after the rules go into effect.

Whatever the solution, one thing is clear: organizations that depend on access to WHOIS data will have major challenges that will require either extensive bureaucracy or court orders and subpoenas to track down identity information on bad actors.

If using registration information is out of bounds, companies will have to dig deeper to track down hackers and cyber thieves. One way they can do that is via comprehensive, big data–based analysis of relationships of all websites to prevent sophisticated cybercrime, such as electronic money laundering or transaction laundering. Transaction laundering occurs when an undisclosed business uses an approved merchant's payment credentials to process payments for another undisclosed store selling unknown products and services.

This advanced online fraud scheme takes advantage of legitimate payment ecosystems by funneling unknown e-commerce transactions through legitimate merchant accounts. Valid websites act as payment processing storefronts for criminal enterprises selling firearms, illicit drugs, child pornography, and other illegal goods.

For merchants worried about credit card fraud and transaction laundering, a big data analysis system has the ability to detect hidden connections across online entities. The same tactics could apply to spam attacks, ransomware attacks, or any other unwanted activity. Comprehensive and continuous monitoring of big data can lead to insights on the identification and activities of bad actors hiding behind the scenes.

The inevitable changes to WHOIS exposes the real issue for companies that have relied on its service for so many decades. Although WHOIS has become a trusted online resource, it is not and has not been a complete, dynamic force fighting the ever-evolving world of cybercrime. The usefulness of WHOIS for data was already being called into question by the increased usage of masking services and incomplete or fake registration data. If cybercriminals are leveraging advanced technology, shouldn't we be doing the same to stop them?

These affected industries are now faced with the responsibility to share intelligence and pursue comprehensive solutions that keep pace with advanced technology while remaining compliant with newly enforced regulations.

For law enforcement and those concerned with the prevention of cyber fraud, understanding the WHOIS versus GDPR issue is crucial. These organizations will need to find new tools and practices that can replace or enhance the service WHOIS once provided.

Related Content:


Ron Teicher is the CEO and founder of EverCompliant. Ron has served as a CEO of EverCompliant since its inception. Before founding EverCompliant, Ron led the compliance initiatives at Sanctum and Watchfire (acquired by IBM). Watchfire's compliance product won SC Magazine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.