How is Vietnamese data collected and used?
When he applied for a loan, although Minh Hui had no debt, he knew his personal information had been stolen, but could not identify the source.
For nearly a month, Minh Hui, a student at Ho Chi Minh City University, has received repeated demands for debt payments, although he and his family have never used the service. On the other end of the line, Hui was told that he owed a small amount, but the interest rate was so high that it could amount to tens of millions of dongs if it wasn’t paid off soon. If denied, the debt collector will provide proof of the dependents’ social security number, phone, email, and personal information along with a properly filed contract.
“That’s information I shared with a lot of services when I signed up, but I’ve certainly never used any other lending service,” he said. He suspects the information was archived during one of those times, then fell into the wrong hands and was used to lend money.
Do Hung (Vinh Phuc) has only been using the internet and smartphones for 5 years. She is not internet savvy, but also rarely uses online services that ask for personal information. But Huong said he likes to take part in promotions. “Whenever the store has an advertising program, I am willing to provide the requested information. Usually it’s just a phone number and address. But sometimes when you win, they will ask you to take a picture of the ID card,” Hung said.
Last month she called a 40-year-old woman from an unknown number and suspected she was involved in illegal activities. On the other end of the line, a law enforcement agency confirmed that her name and social security number were correct. “I was scared and did whatever they asked,” Hung said. “During one of the calls at the time, they asked for my account details. Luckily a relative of mine found out about it and assured me it was just a scam. Otherwise I would have given them all the money.”
Hui and Huong are two of the victims of past personal data breaches. In a report to the National Assembly Standing Committee on Aug. 10, Public Security Minister Tho Lam said more than two-thirds of Vietnam’s personal information is collected and disseminated online through various methods and levels of detail.
How is Vietnam data collected?
According to the Minister of Public Security, disclosure of personal information in the virtual space has become common and has become one of the problems related to information security and security. Today, the usual personal data is collected: demographic data (name, surname, gender, date of birth, address), CCD number, phone number, account number (including account balance). For some violations, the information shared includes family members, job titles, jobs, online accounts, and passwords.
The real reason for this situation is that users have no sense of protecting personal information, they have the mentality of “wanting to trade personal information, personal information for the convenience of technology”. This means that users publish a lot of information publicly on the Internet or share it at work without proper protection. Scam articles on social media like phone numbers for cars, motorcycles… still attract thousands of comments and many “innocent” people leave their phone numbers and addresses. Mine.
Speaking of practical reasons, Lam said that many companies currently collect personal information from customers for business purposes, but allow third parties to access it. Since these companies do not have strict regulations, user data is transferred and sold to many other countries. A clear example of this situation is when users who book plane tickets with applications that need some information immediately receive multiple calls and messages offering airport taxi services.
Additionally, law enforcement has documented several start-up companies in the past that specialize in illegal data collection for profit.
Aside from the above two reasons, lax security by service providers is one of the reasons why user data can be exposed. Most services such as finance, health, education, e-commerce, housing, social networking, etc. require users to enter identification information and phone numbers.
“There are still many systems that don’t care about security issues, so management is lax and there are many serious vulnerabilities,” said Nguyen Minh Duc, founder of security company Saidar. According to Di Duco, large service companies in Vietnam have recently invested more in protecting customer data and developing programs to detect and prevent cyberattacks. However, not all companies focus on this work.
Meanwhile, the user’s personal information such as phone number, email address, citizen identity… is mostly immutable data. So, if one of their subscription services is compromised, the information can be collected and entered into cyber criminals’ databases, shared and unrecovered.
Mr. Dukas emphasized that the situation of cyber attacks with sophisticated methods is increasing, but prevention is lagging behind in many authorities and organizations. “Another concern is the illegal transfer and sale of customer data,” Mr. Herzog said
Personal information is sold publicly
Before its closure earlier this year, Raidforum was selling dozens of articles featuring Vietnamese user credentials each year. Among them are the usual 17 GB of data, thousands of Vietnamese ID cards for $9,000, KYC (identity verification) for nearly two million cryptocurrency exchange users.
In 2019, the records of 50 million Vietnamese users were exposed by Facebook servers. To this day, this information is often shared, bought, and sold on hacker forums. In July, a hacker sold information panels, including school information and email, from 30 million Vietnamese. E-mail address, phone number, first name, last name, date of birth, school and address, employment… The hacker has confirmed that he intends to obtain this information from a large educational institution. Train station in Vietnam.
According to the announcement by the Ministry of Public Security, this agency found hundreds of people and organizations involved in the sale of personal information in the two years 2019-2020. The amount of data illegally collected, sold and accessed is nearly 1,300 GB, including a large amount of sensitive and internal information.
Ngo Minh Hieu, founder of the anti-phishing project, said that since the closure of data markets like Rideforum, traffickers are gradually switching to messaging platforms like Telegram for their anonymity and convenience. Here, in addition to large data sets, buyers and sellers can also exchange a number of smaller data sets from a few dozen to several hundred user data, but the information is more detailed.
This purchase is usually unconditional, that is, only a small amount of money, but anyone can have information about other people. For example, a record with a two-sided citizen ID photo was sold for only VND5,000. Vendors support the ability to purchase data by gender, services used, or data frequency.
“In some hacker communities, data is shared for free or sold at very low prices. In contrast, users can pay a hefty price if their data is leaked,” Mr Hugh said.
Hugh, who specialized in data theft and sales before becoming an advocate for victims of online fraud, says the overall effect is that calls, texts and emails can overwhelm consumers. letters. Furthermore, the bad guys can use additional information from the victim to enrich the data and create phishing scripts to perform additional attacks.
For example, if the attacker knows the user’s phone number, they can send threatening messages and make phone calls…to trick users into providing more information about their national ID and bank number…By fully utilizing an individual’s information, attackers can do this spend yourself. Sign up for telecom and financial services, borrow black credit and related SIM cards. The consequences that users can experience are loss of money on the account, harassment, defamation, financial neediness.
A representative of the anti-phishing project said that there are victims who, after using their personal information, ask for help because they are threatened with losing their job or because their loved ones will help them. Recently, a Ho Chi Minh victim said his information was used to obtain black loans. As a result of the disclosure of the workplace, the debt collection team emailed the company’s human resources department, requesting that the person be fired.
“Please minimize and always think before giving out any personal information. Because once information is posted online, it is very difficult to undo and control is not in the hands of the user.” – Recommended by Mr. Ngo Minh Hieu.
The Ministry of Public Security recommends the government to consult the Standing Committee of the National Assembly and the Politburo on the publication of the Personal Data Protection Law. “This is a fundamental decision to prevent and combat the currently increasing processing of commercial and personal data,” said the Minister of Public Security.
Graphic: It went in.