author photo
By Clare O’Gara
Tue | Nov 12, 2019 | 6:30 AM PST

Chances are, you know someone who has spit into a vial to figure out where their ancestors are from.

The popularity of DNA testing services like Ancestry.com and 23andMe has increased exponentially in recent years.

And a now, a growing number of people are taking the DNA test results to the next level.

Many are uploading them to companies that will help you learn more about your family tree, including distant family members you never knew you had.

Third-party site GEDmatch is  a good example.

And according to recent research from the University of Washington, these types of sites come with privacy and security risks that could lead to major consequences:

"The team demonstrated multiple ways in which they could extract highly personal, potentially sensitive genetic information about individuals on the site—and use existing familial relationships to create false new ones by uploading fake profiles that indicate a genetic match where none exists."

The risks of using third-party DNA testing

The name of the new DNA research paper is a mouthful: "Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference."

But what these University of Washington researchers uncovered is vital for improving cybersecurity and privacy protections in the growing DNA analysis market.

They wanted to see if an attacker could use GEDmatch to commit fraud by posing as someone's newfound relative based on information from the database.

What did they learn? It was remarkably easy.

The first step involved determining the complete DNA profile of their target.

"Based on the GEDmatch visualizations alone, they were able to recover just over 60% of the target profiles' data. Based on their knowledge of genetics, specifically the frequency with which possible DNA bases are found within the population at a specific position on the genome, they were able to determine another 30%. They then relied on a genetic technique known as imputation to fill in the rest." 

The second step? Create false family members.

"Once they had constructed nearly the whole of a target's profile, the researchers used that information to create a false child for one of their targets.

When they ran the comparison between the target profile and the false child profile through the system, GEDmatch confirmed that the two were a match for a parent-child relationship."

Researchers labeled this a "False Relative Attack."

It could be money in the bank for those using this method to "prove" they are your child or your spouse's child. 

The researchers also specified that while this is a multi-step process, exploiting this vulnerability is straightforward for those who are motivated to do it.

"To acquire a person's entire profile, they performed the comparisons between extraction and target profiles manually. They estimate the process took 10 minutes to complete—a daunting prospect, perhaps, if an adversary wanted to compare a much greater number of targets.

But if one were to write a script that automatically performs the comparisons? 'That would take 10 seconds,' said Peter Ney, who is the lead author of the paper.'

How exploiting these DNA services can hurt more than the target

You may be thinking: sure, false identity attacks like these are scary, but I've never used GEDmatch. So this could never happen to me, right? That might not be the case.

Unfortunately, the risk associated with genetic genealogy services extends beyond direct users.

"GEDmatch contains the personal genetic information of a sufficient number and variety of people across the U.S. that, should someone gain illicit possession of the entire database, they could potentially link genetic information with identity for a large portion of the country."

And remember, when you give your DNA to these sites, they're comparing it to a massive database of other people who have participated.

"So whether or not you've uploaded your genetic information to GEDmatch, you might want to ask Uncle Phil for an additional form of identification before rushing to make up the guest bed."

Check out the complete paper here.

And an article from UW Allen School News about the research here.

Comments