The Leak Checker emerged from the research project EIDI ("Effective Information after Digital Identity Theft"), funded by the German Federal Ministry of Education and Research, and is operated by the start-up project "Identity Guard". The people behind it are three computer scientists from the University of Bonn - Timo Malderle, Pascua Theus and Prof. Michael Meier. They are receiving funding from the Startup-Transfer-NRW funding program to further develop the research results so that online services and companies can be offered ready-made products to protect against identity theft. For example, online stores can be protected from fraudsters who buy with stolen identity data.
The Uni-Bonn Leak-Checker uses a newly developed procedure that detects identity data leaks, evaluates them automatically and passes them on as a warning in accordance with data protection regulations. Especially the data protection and the information content are improved compared to other leak checkers: For example, with other providers you can enter any, even foreign, mail addresses and get the information about stolen account data displayed directly. This means that anyone can find out whose data has been leaked and which services this person is logged into. To prevent this from happening, the Leak Checker at the University of Bonn communicates directly with those affected by sending the result by e-mail to the checked e-mail address. "However, the user not only receives a reference to the provider with whom he or she has an account (for example, Twitter or Myspace), but is also shown fragments of his or her own leaked password," explains Timo Malderle, a scientist at the Institute for Computer Science at the University of Bonn and co-founder of Identity Guard. In this way, the user can remember the password in full, where he or she has used it, and then change it directly if it is still up to date.
Data is pseudonymized and encrypted
But it's not just the way in which the user is notified that creates pitfalls for the leak check. The procedure used by the scientists to analyze the data records must also comply with data protection requirements and master the difficulties of evaluation: In Bonn, the data is already pseudonymized and encrypted in a special procedure when it is read in. During analysis, the relevant characteristics, such as the password, the e-mail address, the user name or the date of birth, must be recognized and distinguished from one another. In the leaked data, however, both these identity features and the characters to separate them in a data row are not uniform. The Bonn researchers developed software for automated analysis to deal with this problem. "Personally, we don't even get to see which user makes a request to the leak checker," Malderle says in response. Everything from entering the mail address, pseudonymization, comparison with the leaked data record and the response to the user is done automatically.
The project at the University of Bonn uses only publicly available identity data leaks from the Internet or the so-called darknet, i.e. no leaks purchased by criminals. So far, the new software has been able to analyze around 25 billion data records, i.e. rows with matching identity characteristics - automatically and in compliance with data protection regulations. The team from the University of Bonn will also present these results at the renowned BSI Security Congress, where politicians and IT security experts will meet virtually in Bonn on February 2 and 3.
What can you do to protect yourself against Internet theft of personal data?
In Malderle's view, the most important measure is to protect one's e-mail account. After all, by resetting the password with other providers, it is possible to crack almost all other accounts via the e-mail address. When it comes to protection, "The longer and more complex the password, the better a user account is protected." A password should have at least 12 characters. However, 16 or more would be optimal. In addition, a so-called two-factor protection offers a significantly higher level of protection, for example, in addition to the password, the additional login with a one-time password or an SMS.
Moreover, it is much more secure to use a different password for each account. If the password is stolen from one service, then the other services where the same password is used are also immediately unprotected. So it is better to think twice if you really use the same password for different accounts. A password manager, which is also offered via the browser, can also help here in order not to lose track. "But you should never store your passwords digitally without encryption, i.e. on your computer or cell phone," says Malderle.
Further information on the Leak Checker of the University of Bonn: https://leakchecker.uni-bonn.de/
Information on the Identity Guard project: https://itsec.cs.uni-bonn.de/identity-guard/