Rate Limiting: The approach to authentication recommended by the Italian Supervisory Authority

 

In this historical period, data security is of indispensable importance, both to protect the fundamental rights and freedoms of individuals and from a business-oriented perspective. Data security is a real asset capable of catalyzing a data-driven approach to the production of goods and services.

There is no absoluteness in the concept of corporate security, and its relativity is studied by security experts: it is demonstrated by the continuous update that the Italian legislation is dedicating to the subject as the forthcoming establishment of the Agency for National Cybersecurity (ACN) and the issuing of the legislative framework regarding the so-called Cybersecurity Perimeter.

 

The case of the restricted traffic area in Rome: a precedent to remember

In December 2018, a report by the Italian Data Protection Authority and persistent press reports revealed that permits for accessing and parking in the restricted traffic zones (“ZTL”) in Rome, which were to be displayed on vehicles, bore a QR code on the front, which allowed anyone with a generic smartphone application capable of decoding its content, to access personal data relating to the holder of the ZTL permit. [1]

In addition, the ZTL permit verification service was exposed on a public network, making it possible to access, accidentally or unlawfully, the personal data processed there.
In this regard, on 11 February 2021, the Italian Data Protection Authority  (Autorità Garante per la Protezione dei Dati Personali), with injunction order no. 9562852, imposed corrective measures to ensure, among others, the “ability to effectively counter brute force attacks on the online authentication system, including by introducing limitations on the number of unsuccessful authentication attempts[2] or rate limiting. The foregoing confirms the importance of compliance with EU legislation and, specifically, with Article 32 of the Regulation (EU) 2016/679 (also known as GDPR), entitled “Security of processing”, which expressly provides that the Data Controller, considering the principle of accountability and taking into account a risk-based approach, shall implement appropriate technical and organizational security measures to minimize the risk associated with the processing of personal data. Failing to implement such measures may result in the issuance of injunctions against the Data Controller and relevant sanctions.

 

Rate Limiting: a necessary in-depth analysis

Rate limiting  is a technical security measure that limits the number of unsuccessful authentication attempts and provides effective protection against denial of service (DDoS) attacks, brute-force password attempts, and other illegal behaviors. Consequently, the implementation of this security measure guarantees a series of defenses in favor of the user from attacks by crackers, bots, and from related illegal behavior.

The Italian Supervisory Authority, in this sense, through the provision contained in the previous injunction, adopts an approach regarding compliance stated by Article 25 GDPR: the implementation of this technical security measure, in fact, in accordance with the principle of privacy by design, especially in the design phase of an application , the Data Controller must take into account any threats which may impact the rights and freedoms of the so called data subjects, implementing technical and organizational security measures aimed at mitigating these threats.

As regards the threats that can be expressed through the exploitation of vulnerabilities underlying the authentication process, the Supervisory Authority recommended that the measure of rate limiting has to be considered.

Therefore, adopting an analogical approach, every application or system that process personal should limit or slow down the availability of the login procedure if an abnormal number of unsuccessful login attempts are made within a relatively short period of time, thus temporarily blocking logins for the account under attack.

The application could also provide for an increase in the blocking time if new unsuccessful access attempts are made after the account has been unlocked, preferably for no more than a couple of hours, in order not to prevent access to the service.

In certain specific circumstances, the possibility of implementing a rate limiting system either via IP or via IP families may also be considered, exploiting this measure also from a structural and not merely application point of view.

Rate limiting is considered sufficient to prevent that an attacker with relatively limited resources can compromise an account.

In the case addressed above, regarding the “ZTL case”, the implementation of such a measure within the QR code verification application would have been sufficient to mitigate brute force attacks, and thus ensure compliance with both the Authority’s approach to article 25 GDPR and, generally, to the principles stated by EU Regulation 2016/679.

 

Mitigating risks means protecting personal data and information

Organizations are responsible for adopting actions aimed at mitigating any risks inherent in the breach of authentication credentials and, therefore, the confidentiality of the processed data.

In fact, it is not surprising that in the area of security measures for access to online platforms/applications/services, in addition to the preeminent EU legislation on the protection of personal data, the orientation of the Data Protection Authority which, among others, proposes rate limiting solutions aimed at preventing unauthorized access and consequent data breaches.

The current challenge in devising defensive strategies is that of having the technical expertise and knowledge of the legal background to avoid incurring penalties that could easily be avoided with proper foresight.

 

Notes:

[1] For the sake of clarity, see ZTL Rome, “data accessible to all”. Garante Privacy sanctions the Campidoglio – la Repubblica; GarantePrivacy:sanction to Roma Capitale for ZTL |ForensicsGroup

[2] The full measure is accessible on the dedicated website Ordinanza di ingiunzione confronti di Roma Capitale – 11 February 2021… – Data Protection Authority