Category: Sweden

Foreign companies can bypass Swedish Personal Data Act (PUL)

by

8 December 2014

09:33

Leave a comment on Foreign companies can bypass Swedish Personal Data Act (PUL)

Sweden, TRACE

,

Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article which is in Swedish, but I’ve done an English translation below.


In previous posts I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.

 

TRANSLATION
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
– There is a remarkable gap in the law.

Swedish e-leg fiasco

by

30 October 2014

21:37

Leave a comment on Swedish e-leg fiasco

Sweden

, , ,

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion. [youtube=http://youtu.be/RHIkb9yEV1k] If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!

Identity and Trust in a digital world

by

28 October 2014

20:35

Leave a comment on Identity and Trust in a digital world

Sweden

14:00 Future Trends and Innovation at the Nordic IT Security Conference on 5th November in Stockholm. This is what I am going to talk about…

“I dare to challenge: that what you state as your digital identity today, is not a digital identity at all! This is why information security programs do not work. Your so called ‘digital identity’ is the weakest link in the chain; in a verbose, connected and dynamic digital society. What’s more is that your digital identity can be stolen. Identity fraud is on the rise, even in Sweden. So how did we get into such a mess and what is the future for our digital identities?”

Let’s talk about merino.se too…..

by

26 October 2014

18:35

Leave a comment on Let’s talk about merino.se too…..

Sweden

, ,

Following up my previous posts on identity theft/fraud is should give more credit to merinfo.se…….

Merinfo.se is probably one of the best websites for finding an all-round picture of an individual. In here you will find their first 6 digits of their personal number which is their date-of-birth…but what’s new? Also where they live, same as other websites. In addition if you are lucky there is a Google maps picture of their home, and list of where they are sitting in board positions in companies and a timeline for these relationships.

Surprise! 10 more years of PII exposure in Sweden….

by

26 October 2014

13:25

Leave a comment on Surprise! 10 more years of PII exposure in Sweden….

Legislation, Sweden

, , ,

It seems that many of the utgivningsbevis that were granted in 2004 are due to expire this year in 2014, and in 2014 it is still legal in Sweden for those holding this exemption certificate can share your personal information, if you are a Swedish resident, or/and Swedish citizen….here is information on this.

So how many companies have been granted an utgivningsbevis, and have the right to publish your personal information public? Well 917 is what I found, and you have not a legal leg to stand on to get your personal information removed.

This includes ratsit.se and birthday.se. Here you can type in the name of the target and search, bingo! Happy hunting!

ratsit

How much do you earn?

by

26 October 2014

12:06

Leave a comment on How much do you earn?

European Union, identity_quest, Information Privacy, Legislation, Sweden

,

I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.

extrakollpng

This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.

How do you do this is:

  1. Visit www.extrakoll.se and search for the name of the individual you are investigating;
  2. Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
  3. You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
  4. The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!

There is no way you can prevent others from requesting this information on yourself.

Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!

naughty naughty HQ-bank for falsification of financial statements

by

22 October 2014

16:42

Leave a comment on naughty naughty HQ-bank for falsification of financial statements

Sweden, TRACE

, , , , , , , ,

 

So information security in financial reporting is unnecessary? So you think… I guess you’re not following the HQ-Bank saga in Sweden? Well the stars of this saga are going to prison to pay for falsification of financial information. It seems that even the KPMG auditor (Johan Dyrefors) approved 2009 and 2010 accounts. Credit to KPMG that it didn’t get approved internally. Evidence of malpractice started in 2009. It seems that this was just the tip of the iceberg of accounting malpractices for HQ-Bank.

You know information security is not purely about protecting the confidentiality of financial information, it is about protecting its integrity; ensuring absolute traceability back to the originating source, which is the identity in whichever role they are acting within when financial records are submitted. The financial reports that are submitted should be digitally time-stamped and digitally signed to protect integrity.

It is XBRL that gives transparency. XBRL gives a single language for all financial information from creation through to consumption. However in order to enforce Accountability, Responsibility and Traceability (ART), i.e. quality and integrity in financial reporting, you need information security. You know those deep cryptographic magical stuff that tells you if the financial information has been tampered with.

Lars Berlöf is going to be talking about this at the Nordic IT Security Conference on 5th November, I may even keep him company on stage, for a short time 😉 Lars knows about the challenges of transparency in financial reporting and is driven to enforce traceability hence, legality in all financial reporting, in Sweden, and across the whole world!

Here is a taster of what we will be talking about……

[youtube=http://youtu.be/an1yIoby_pc]