Author: Editor

Bad bots are getting worse – the complicated world of bot attacks and account takeover fraud

By Mélisande Mual – The Paypers The global push for digitisation has created the perfect environment for fraudsters to operate on a large scale in three ways: firstly, with data breaches happening on a daily basis, there is no shortage of stolen credentials available for purchase. Secondly, the number of digital transactions is ever-increasing, causing financial institutions to process more and more transactions every day. Finally, technologies such as automation tools and bots have become cheaper and more widely available than ever before. Together, these phenomena lead bot attacks to become increasingly cheap, scalable and dangerous.   Bot attacks (also known as botnet attacks or malicious bot attacks) happen when a cybercriminal uses a collection of devices over the internet to cause harm in various ways. These devices are often infected with a virus that provides the hacker with complete access and control over a device, which the hacker then integrates into a botnet....

Continue Reading

How to keep track of privacy during corona?

By Lex Keukens en Sander Tempel  On April 7, Minister De Jonge announced that the government wanted to use tracking apps (‘the App’) to fight the COVID-19 virus. In addition to tasks regularly carried out by the Dutch Municipal Health Services (GGD), the government wants the App to provide smart digital solutions for source and contact tracing.1 This means that the App will need to process personal data, including data from which an individual’s health situation can be extrapolated.    Before focusing on the starting points which the App must meet according to the government, it must first be determined whether the General Data Protection Regulation (GDPR) applies to this form of data processing and if so, whether there is a lawful basis for processing personal data.2 After that we will focus on a number of critical comments in relation to data minimisation, protection and data storage. We conclude with some food for thought.   Starting points In the...

Continue Reading

SyRI legislation in violation of article 8 of the ECHR, but no exclusion of intrusive technology!

By Rob van den Hoven van Genderen On 5 February 2020, the Court of The Hague ruled that SyRI (System Risk Indication) legislation is contrary to the European Convention on Human Rights (ECHR).1 This case was brought by a large number of civil society organizations against the use by the State of the Netherlands to detect and combat fraud in a number of ‘risk areas’ with the help of data linking and analysis using algorithms. The court ruled that there was insufficient balance between the use of new technologies such as AI, data analysis, algorithms, deep learning or self-learning systems - and respect for private life as set out in article 8 of the ECHR. According to the court, there is also a risk of discrimination. The law is insufficiently transparent and verifiable and therefore unlawful.   Tijmen Wisman of the Civil Protection Platform says about the verdict: “We have been proved right...

Continue Reading

The Legal Look – A spinning approach towards encryption

By Victor de Pous If it is up to Justice and Security Minister Ferd Grapperhaus technology companies must hand over a decryption key to law enforcement agencies if an investigating criminal judge orders so, for example in a case about transmitting child pornography via WhatsApp or Telegram which use end-to-end encryption. The fierce discussions about government access to encrypted private communication versus privacy protection are old – originally called the “crypto wars” - but have now taken the Netherlands by surprise because the government, until recently, held-on to its stone and finished encryption policy with the Leitmotiv: “Cryptography plays a key role in technical security in the digital domain.” Suddenly the wind blows from a diametrical angle.   Regulating encryption with special legislation – or rather not – is a fine example of divided interests and opinions in the digital society and a lasting legal trend at the same time, just as changing fundamental...

Continue Reading

It’s about time we stopped talking about security…

By Dennis de Geus - Capgemini  This may sound strange from someone who is earning a living with advising organizations on how to protect themselves from the evil threats in the digital world. So, before I’m either outcasted by the cyber community or ruining opportunities to help organizations in the future: let me clarify this a bit further.   Being nothing but a hygiene factor Not a day goes by that we don’t read about another cyber attack in the news. This constant focus in the media is having its effect on the awareness for the topic with the leadership of organizations. And the cyber industry is faring well with it. New players are entering the stage with clockwork precision and if you want, you can visit another conference every week. And when I visit such conference I tend to hear the same message: “We need to invest in cyber security to protect our digital...

Continue Reading

If you’re relying on consent, you’re doing it wrong under the GDPR

By Arnoud Engelfriet Ever since the GDPR went into effect, companies have worked hard to achieve compliance. However, one key mistake keeps on popping up: asking consent as a legal basis for some processing of personal data. It is strange that companies would rely on this ground, because it has the strictest legal requirements and is the most difficult to work with. Yet the myth persists that you should seek consent. Please stop.   Consent is of course one of the ways to acquire a so-called ‘ground for processing’, a legal basis required by the GDPR. Without such a ground, any processing is unlawful. There are other grounds, notably the performance of an agreement and the legitimate interest, but those grounds have scary-sounding requirements like necessity or a balance of interests. Asking consent thus seems logical; you explain what you are going to do and you get a clear and voluntary “yes please”. Right?   Wrong....

Continue Reading

PSD2: A Crucial Link in Building the New Digital Europe

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://www.dcsp.nl/wp-content/uploads/2019/08/Delex-8949-DCSP-Magazine-01-2018-Edwin-van-Gorp-Chris-Barbiers.pdf"][/vc_column][/vc_row] By Edwin van Gorp and Chris Barbiers A lot of hard work is being done to launch Payments Service Directive - Part 2. But why do we actually need PSD2? And what does this mean for the financial services market? Time to let go of the daily worries and details of PSD2 and to reflect on the larger context, the objectives of the European Commission (EC) and the emergence of the new financial Europe. The PSD2, together with GDPR, is a great piece of European politics. PSD2 is one of the pieces to the puzzle of the European Commission in the construction of a strong internal European market. The idea behind this plan is simple: if we remove barriers within Europe as far as possible, we create a strong internal trade market. As a result, Europe remains a strong player on the world stage, compared...

Continue Reading

Technical and Organizational Controls in a Processor Agreement

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://www.dcsp.nl/wp-content/uploads/2019/08/Delex-8949-DCSP-Magazine-01-2018-Marianne-Korpershoek.pdf"][/vc_column][/vc_row] Technical and Organizational Controls in a Processor Agreement: How do you make them work? By Marianne Korpershoek When an organization outsources its processing of personal data, the GDPR requires the company to only use processors that can provide adequate guarantees for their security level. In itself, laying down the security requirements in a data processing agreement was a rule that was already covered by the old law, but with the ‘guarantee’ requirement that an organization will now need to have is a big step further in assuring whether there are actually sufficient technical and organizational controls implemented by the processor. Especially now that there are more and more providers of handy apps and cloud applications in which tasks are taken care of.   Consider, for example, an app for pre-employment checks, for video job applications, and so on. Can you still rely on the Guidelines on...

Continue Reading

Talking with Jaya Baloo – Chief Information Security Officer KPN

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://dcsp.nl/wp-content/uploads/2019/07/Delex-8949-DCSP-Magazine-01-2018-Jaya-Baloo.pdf"][/vc_column][/vc_row] By Claudia Zuidema Two months ago a mister Mao Zhang sent me an email. “This is your bad luck. I hacked your password ***** and I know all your secrets.” If I didn’t transfer 3000 bitcoins to Mr. Zhang within a week, he threatened to send all kind of files and photos to my business relations.   When Jaya Baloo[efn_note]https://jobs.kpn.com/vakgebied/security/jaya-baloo-en-de-eredivisie-van-cybersecurity/[/efn_note], KPN’s Chief Information Security Officer (CISO), states that cybersecurity is a daily issue, she’s right. I met with KPN’s leading lady of cybersecurity at the Security Operations Center (SOC) in Hilversum while she was in the middle of a RED Team meeting.   My first, a little bit corny question, you are a well-known CISO in the World’s Top 100 Chief Information Security Officers list, what’s your biggest professional challenge? ‘KPN is a very large company and that means that there are many challenges. We have to be...

Continue Reading

PSD2 and the GDPR, a Happy Marriage or a Bad Partnership?

[vc_row][vc_column][qodef_button size="" type="" target="_self" icon_pack="" font_weight="" text="VIEW PDF" link="https://dcsp.nl/wp-content/uploads/2019/07/Delex-8949-DCSP-Magazine-01-2018-Ady-van-Nieuwenhuizen.pdf"][/vc_column][/vc_row] By Ady van Nieuwenhuizen The Payment Service Directive 2 (PSD2) is a new European directive for payment services. The directive must ensure uniformity of payments within the European Union. The ultimate goal is to alleviate the concerns with the monopolistic position of banks and to ensure more competition and innovation. An additional goal is to remove the barriers for new entrants to the payment market.   In order to be able to bring this payments uniformity into reality, it is necessary, among others things, to make use of personal data. This unavoidable consequence can lead to clashes with the new privacy legislation, the General Data Protection Regulation (GDPR). All providers of payment services must not only comply with the GDPR, but in the future also with the PSD2. This is the reason why it is important that the PSD2 is in tune with the GDPR.   By...

Continue Reading