The Netherlands is pioneering a new initiative to stem the tide of leaked and stolen login data. Right in the middle of the action against leaked login data are the Dutch Police, known locally as Politie NL. They're the main characters in this cyber-safety story. Alongside others, they're pioneering a groundbreaking initiative called "No More Leaks." This plan is a special partnership between the government and private companies. Its goal? To stop crooks from using stolen login details.
Politie NL is partnering with public-private partnerships (PPP) in this noble task of combating the misuse of compromised login information. Private companies such as Zalando, Wehkamp, Marktplaats, OneWelcome, KPN, and Tweakers have all agreed to take part.
No More Leaks has facilitators from the Trade Association in Thuiswinkel.org as well as a pair from the Ministry of Economic Affairs and Climate Policy in The National Cyber Security Incident Response Team for Digital Service Providers (CSIRT-DSP) and Digital Trust Center (DTC).
Companies catering to a large online user base often find themselves at the mercy of cybercriminals who exploit leaked login data to orchestrate account takeovers. This insidious practice not only undermines consumer trust but also inflicts significant financial losses on both businesses and individuals. Recognizing the urgency of the situation, the Cybercrime Unit of the Dutch Police champions No More Leaks, which steps in to mitigate these risks head-on.
The No More Leaks Modus Operandi
At its core, No More Leaks operates on a simple yet effective premise: the exchange of hashed datasets between law enforcement and participating companies. The police furnish lists of hashed login data obtained from seized devices during investigations or sourced from online platforms, including the dark web. These datasets, encrypted using the robust SHA256 hashing method, serve as a powerful tool for companies to fortify their login systems against fraudulent activities.
These organizations incorporate lists of hashed passwords into their internal databases and then modify their login systems accordingly. This allows them to compare every login attempt with the compiled roster of leaked login credentials.
How does the No More Leaks initiative work?
Adapting the login system to incorporate the hashed lists of leaked login data requires a thoughtful adjustment in the authentication process. After a user enters their email address and password, an additional layer of scrutiny, known as the "No More Leaks check," comes into play.
Here's how it works:
Initial Authentication: The system first verifies the entered login combination as usual.
No More Leaks Check: Upon successful validation, the system combines the entered email address and password into a single string. This string is then transformed into a hash using the SHA256 algorithm. The resulting hash is compared with the list of hashes provided by the Police. 2. a Hit Detection: If the calculated hash matches any entry in the Police hash list, it indicates that the login data is flagged as leaked. In such cases, users are informed about the insecure nature of their login credentials. They may receive a password reset link via email to set a new, secure password. 2. b No Hit Detected: Conversely if the calculated hash doesn't match any entry in the hash list, it suggests that the login data isn't identified as leaked. The login process proceeds without further intervention.
While these guidelines serve as recommendations, the implementation of No More Leaks empowers organizations to identify potentially compromised login data. How this information is used to prevent abuse is left to the discretion of individual entities. However, the overarching goal of No More Leaks remains steadfast: to reduce fraudulent activities and enhance online security.
Optimizing Security Through Data Specification
Ensuring the accurate calculation of hashes and achieving hits against the supplied hash list relies on paying close attention to data specifications. A thorough understanding of the dataset provided by the Police is crucial for effectively leveraging the No More Leaks framework and maximizing its effectiveness in safeguarding digital assets.
Frederiek Burlage, Account Manager, Public-Private Partnerships - Team Cybercrime Amsterdam notes, “Currently, we have more than a billion hashes of stolen credentials in our project covering a lot of countries in Europe (we focus now on companies with a European-based consumer group only).”
Why No More Leaks Operation is a Step in the Right Direction
No More Leaks is an operation of the Dutch Police focusing on partnerships with European consumer-focused companies. Through the sheer dedication of the officers, both individuals and businesses now enjoy a safer online experience.
This shows that by working together, we can make significant progress in fighting scams. Governments, law enforcement agencies, banks, registries, telecom companies, and others must come together to combat fraud effectively.
In today's interconnected world, the No More Leaks initiative illustrates the importance of teamwork in protecting digital spaces. By building stronger relationships between law enforcement and industry players, the initiative marks a new chapter of resilience and trust in online environments.
Residents of the Netherlands, and by extension those living in Europe, can find peace of mind knowing that Politie NL is diligently working around the clock to safeguard their login credentials. With a commitment to cybersecurity, the Dutch police leave no stone unturned in their mission to prevent unauthorized access to personal accounts. Gone are the days of worrying about leaked login details; Politie NL is dedicated to stemming the tide of stolen credentials and ensuring online safety for all. Rest assured, your online security is top of their priority.
Meet the No More Leaks team
Frederiek Burlage, Account Manager, Public-Private Partnerships - Team Cybercrime Amsterdam – Since 2013, Frederiek has been working in the field of combating cybercrime. Initially at the National High Tech Crime Unit, and since 2020, at the cybercrime team of her hometown, Amsterdam, to embark Public Private Partnerships. Frederiek studied criminology and graduated in 2020 with an Executive MSc in Cybersecurity (Governance). Frederiek thrives on the challenge of bridging diverse interests and perspectives, uniting stakeholders with varying agendas towards a common goal. Her passion lies in prevention and disruption projects, where she hopes to contribute to creating a safer (digital) society.
Ruben van Well, Account Manager, Public-Private Partnerships - Team Cybercrime Rotterdam – Ruben has been working for the Dutch National Police for over 22 years. He started patrolling the streets of Rotterdam and had a great variety of functions, from Riot police to assistant public prosecutor immigration and criminal law and from detective to account manager public-private partnership in the cybercrime unit of Rotterdam. Innovation has been a common thread throughout his career. Always looking for possibilities to make policework better, easier, and more fun. With an aim to boost safety & security and/or the service provided by the police. After guiding various experiments throughout the organization. He has recently found a passion for fighting cybercrime. As he states: “Cybercrime is the innovation of crime, you need to be very agile to fight it effectively. Luckily, I have an awesome team with a variety of specialists who all share a goal to fight impactful cybercrime to protect society against it.”
Comments