Virtual Confidence

 

Image from Pixabay

Information security is a matter of trust. That may sound strange, because you are used to the fact that in the digital world we have to distrust everything and everyone (we even use the term 'zero trust') and that we base our security on what can go wrong. But ultimately you have to rely on the people, procedures and products that together build your security. It is sad when that trust is betrayed.

If you use the internet, you don't want snoopers around. At home, most of us rely on our ISP to behave properly. When you are away from home, however, you suddenly have to deal with all kinds of other parties that offer you internet access: shops, restaurants, hotels, airports, you name it. You have no idea who is behind it and whether those parties can be trusted. Fortunately, there is a technical solution for this, called VPN: Virtual Private Network. A VPN creates a secure 'tunnel' through which only your internet traffic passes – hence the name: it seems as if the internet has become a private network, just for you.

In effect, you are transferring your trust from the internet provider to the VPN provider. Without a VPN, the person who offers you access could watch; with a VPN, the VPN supplier could watch. Because the latter provides a security service, which you may even pay for, you trust that your internet traffic is in safe hands with them. Incidentally, you can usually choose not to use the WiFi of that restaurant or hotel, but your mobile data connection (4G/5G). This summer, however, we went on a trip outside Europe. Internet via our SIM cards would have been costly and that is why we wanted to be able to make good use of free WiFi. That's why I took out a VPN subscription for all the devices we took with us. That worked perfectly: no noticeable delay and a safe feeling everywhere. My less technical family members have not noticed anything and that is a good sign.

The trouble started when we got home. Two weeks ago I happened to notice that the VPN was off on my phone. Their app even claimed I didn't have a subscription. I checked it, just to be sure: I had really paid for two years. So I sent a message to the VPN supplier. Despite it being Sunday, a message quickly came back from the company: my subscription had been suspended due to suspicious behavior - their systems had detected that my account was being used for web scraping, which is against their terms of use. Web scraping is the automated ‘absorbing’ of websites in order to retrieve all the information there at once. This is interesting, for example, for a company that wants to know what its competitors are doing. And you may also collect information that is not actually intended for the public, such as a customer base.

I was quite angry about that response. They suspended me, a paying customer, without notice. Moreover, our devices were no longer protected and I didn't even know since when. And I was falsely accused. I asked for clarification and made it clear that I was not happy. This time the response didn't come until the next day, and it completely ignored my displeasure. They did not want to share more information about the incident, because that kind of information could benefit malicious parties. But they did give practical tips. My account password must have been leaked, they told me, and I was summoned to change my e-mail password as well. They also gave tips on strong passwords and how I could check if my credentials had been leaked (via haveibeenpwned.com, where I have been registered for years). But well, they had looked into my case once more and they were willing to restore my account.

In a new e-mail I once again told that I do not understand that they had not informed me about the suspension. And that I understand that they can't share information, but that they should be able to see for themselves that I didn't do anything wrong. And I also asked for compensation for the time they left us unprotected.

Again they had me waiting for a full day. Then they were sorry I was dissatisfied, and thanked me for taking the time to provide feedback. They declined to share further information. My account was reactivated, but if this ever happens again, my account will be suspended forever, they threatened.

There are messages on Twitter from people with exactly the same story: after two months they were kicked out on suspicion of web scraping. Maybe this Panama company (that’s where NordVPN lives) should adjust their tools. In the meantime, my confidence in this security service has taken a big hit.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the Dutch land register had to deal with a serious security breach, as a result of which everybody’s data was exposed. [DUTCH]
• you only need a credit card number to view someone's New York subway trips.
• committing cybercrime is super cheap.
• the leaders of one of the world's largest cybercrime gangs have been exposed.
• cleaning up after a ransomware attack will cost you dearly.
• law enforcement agencies from seven countries have jointly taken down a large botnet.
• Scotland Yard is facing a supply chain attack.
• bias in AI algorithms can be a threat to cloud security.
• the Tax and Customs Administration in the Netherlands is further tightening its thumb drives policy. [DUTCH]