I didn’t really know how to title this post, as the above seems almost too obvious. Unfortunately, I’ve found more and more private sector companies using random online services for customer verification and ‘OSINT’ work. I was finally prompted to write this after seeing a company upload a customer’s passport to Forensically (which is a fantastic site) and then a popular reverse image search site. I believe Forensically and the reverse image site are all above board, but I don’t know that, and neither did they when they uploaded the passport.
The issue isn’t just that this is happening, but that those I’ve spoken to just don’t understand why it’s an issue. This is even in the wake of GDPR (which you’ll be painfully aware of if you’re in Europe). What’s most confusing about all this is that those working in counter-fraud/customer verifications know how attractive photos of passports and the like are to criminals, but they don’t seem to make the connection between using random online services and the potential for criminality.
Since challenging a few companies, the two phrases I’ve heard on repeat are:
This might be true at 9am, but might have changed by 1030am – have you checked again? Each time you uploaded something? Really?
A random site on the internet has nothing to prevent them doing whatever they like, and changing what they do at will. What if your favourite reverse image search tool decided one day to start publishing all the pictures you’ve reverse searched somewhere? Would you know if it changed? Would your staff? What would you be able to do about it?
Similarly with tools that are all running ‘on page’ and not uploading the data to a server – would you know if that changed? It’s usually a single line of code to dump all of the results to a server somewhere.
Not to ramp up the scare tactics, but I’ve personally heard of a few people running sites with free services getting shady offers involving skimming data, and it only takes a few bad days to make those offers seem a lot more appealing. Obviously this can happen in any business context, but it’s far more likely if they’re not breaking any contracts.
How can I properly procure an online service?
The first step with using anything to process customer data is always to get straight on the phone to your legal department. There’s no substitute for proper legal advice, and with data being such a hot issue at the moment, it’s vital to stay on the right side of the law with it all.
As some more general guidelines for if you’ve not got a great legal department:
If you can’t get something that works completely offline (and make sure that it’s properly firewalled off), you need to get a proper, legally binding agreement. If you’re in Europe, for each service you use, you need a ‘data processor agreement’ (https://gdpr.eu/what-is-data-processing-agreement/) to achieve basic compliance. Even if you’re not based in Europe, you’re still going to run into trouble if you don’t have a similar sort of agreement in place. The agreement doesn’t need to be a 300 page tome – I’ve seen perfectly acceptable agreements on two sides of A4.
When dealing with any supplier, make sure to ask what happens with the data – do they store it? How long for? Do they have external auditing procedures? This all needs to be in writing. Often suppliers will have a boilerplate contract which won’t go into much detail – ignore these (or fill them out if you must) and send over a list of all your questions and write your own contract up. My advice is to make the questions as direct as possible and with as little wiggle room as possible. Don’t allow for responses like ‘we keep your data for as long as is reasonable’ – you want it in a numerical format. If they can’t give you an exact timeframe, write your own clause in – ‘as soon as possible, but always within x weeks/months’. Ideally, they shouldn’t store anything at all, but this somehow seems impossible for most services.
You also need to make sure that you’re notified of any changes to their service. This can be a tricky one to negotiate, as most companies will only really want to notify you of big updates or changes. Don’t settle for this – you need to be informed of any change to the live code base, and to have a designated point of contact to talk these changes through. You also need to be able to leave the contract if any of the changes aren’t to your liking.
I know this all sounds like common sense, but somehow the risks get forgotten somewhere down the line. In the last year or two – regardless of all the data leaks we’ve seen – some counter-fraud and verification teams are still using online services on faith alone. Check what you’re using, how you’re using it and if you have everything you need in place.