Your personal information is for sale on the dark web.
Don’t worry, I’ve got in mind that you don’t know what the “dark web” is, other than a scary name. I’ll tell you more down below.
I believe all articles about the dark web are required to use the above picture to convince you it’s pure evil. If I hadn’t chosen that picture, I would have been reprimanded by the Blogging Authority.
“Dark web monitoring” is the latest security feature being offered by Experian, Lifelock, and many other companies. They will scan the dark web and alert you if they find your personal information – name, email address, social security number, and the like.
Let’s jump right to the thrilling conclusion, then break this down into bite-sized pieces.
Is your personal information for sale on the dark web?
Is dark web monitoring worthwhile?
Well, sure, a bit. More information about the world’s shenanigans is always helpful. But the alerts usually don’t require much of a response, even if they’re presented with dire warnings of calamity if you don’t do something.
Credit agencies and others are pushing dark web scans to scare you into paying them a monthly fee. You might decide to pay them for useful services like credit monitoring, but don’t let dark web scans influence your decision very much.
There are some things you should do to keep yourself secure, but you should do them now, right now, today, not in response to some dark web alert:
- Use strong passwords.
- Use different passwords for every site. Never re-use a password! I can’t stress this enough.
- Start monitoring your credit file regularly.
What is the dark web?
You browse the Internet with Chrome or Firefox. The web you know is a brightly lit place with lots of fun places to visit.
The dark web is hidden from view. It’s the back room that you can’t get into unless you find the hidden door and you know the secret password. The dark web can only be reached with special programs, not Chrome and Firefox. It’s not indexed by Google. For much of it, you literally have to know secret passwords.
Let’s save time and assume that I’ve explained the dark web with two paragraphs full of semi-technical jargon that you skimmed but didn’t understand. Also assume that I used the word “onion.” It turns out you can’t describe the dark web without using the word “onion.” Trust me.
Once you’re on the dark web, it looks kind of like the Internet you’re familiar with – forums, news sites, publications, discussion groups. There’s a version of Facebook that can be reached anonymously on the dark web.
People hang out on the dark web to shield their identities and locations. Not everybody there is a bad guy. It’s used by journalists, whistle-blowers, and people living under repressive governments.
Mostly, though, it’s a collection of marketplaces for child pornography, illegal drugs, weapons, and especially stolen personal information.
(Update 10/19/2020: If you are interested in learning more about the dark web, this is a fascinating collection of information: Everything You Need To Know About The Dark Web In 2020.)
Your personal information is being traded and sold constantly – and not just on the dark web
There is a glut of personal information available after breaches at hospitals, government agencies, and credit bureaus in the last few years. The data from massive hacks on big companies like Equifax and Yahoo is sold on the dark web. The cost to steal your identity is down to $30-$40. Information Week reports:
A “fullz” for a U.S. consumer contains a person’s full name, birth date, Social Security number, address, phone number, driver’s license number, and mother’s maiden name. For an extra $10 to $25, sellers will add an individual’s credit card data, bank account data, bank security questions and answers, employer, or other critical information.
Want to see something scary?
- Go to www.haveibeenpwned.com and type in your email address.
- Go ahead, it’s safe.
- Oh, no! Your personal information has been hacked!
- Chill out. Virtually every human being in the U.S. would get the same result.
While you’re on www.haveibeenpwned.com, scroll down to the list of hacked databases where your information appears. You might recognize some, you likely won’t recognize others. That’s because your personal information is also for sale by legitimate companies that accumulate and sell data in ways that are honest but hidden. If you knew much about them, veins would start pulsing in your temples. Facebook is the best-known data broker, but there are many other large companies unknown to you that are accumulating and selling data. From the New York Times: “American companies alone are expected to spend close to $20 billion by the end of 2018 to acquire and process consumer data, according to the Interactive Advertising Bureau.”
If your personal info is already on the dark web, why is it valuable to get notifications about it?
Now you’re starting to get it! Most of the stolen credentials that turn up in dark web scans have already been abused, used, and resold multiple times. I’ve seen too many breathless notifications recently about info found in hacks from six or eight years ago.
The companies monitoring the dark web cannot do anything to protect your information. This is widely misunderstood by more than a third of the people who saw ads for identity theft services, according to a survey by the Consumer Federation of America. The reality:
- Your information cannot be removed from the dark web.
- The monitoring companies cannot prevent your stolen information from being used.
Also, I hate to mention it, but the monitoring companies are only able to report on the tip of the personal data iceberg. They scrape the data dumps that are widely available on the dark web, typically the stolen account names and passwords from the massive hacks that are in the news – the same ones you can read about for free on www.haveibeenpwned.com. The limited scope of the monitoring companies’ scans was described this way by USA Today:
“What these services are offering to do is monitor the small portion of the dark web that are known as “bazaars” or “marketplaces” but only the ones that they know about. The real heavy criminal activity often exists in hidden and hard-to-join private networks in which users are extensively scrutinized before they’re allowed in. Most estimates are that commercial “dark web scan” services know only about your information in a small fraction of the actual underworld’s activity.”
What should you do if you’re notified that your info has turned up in a dark web scan?
The monitoring services will always advise you to “change your password.” It’s stock advice. They say it to everybody for every situation.
There’s a problem with that. When you’re told to “change your password,” your first instinct is to change the password for your mailbox – the place where your mail is stored, your Inbox and Sent Items. Your mailbox is only one of the dozens of places where you use your email address and a password to log in. You also use your email address as the login name for 25 or 50 or 100 other services. Your email address is probably the login name for Amazon, your bank, airlines, Uber, Apple, Google, Microsoft, Facebook, and a few dozen others that you don’t recall. If one of those is hacked, changing your mailbox password does nothing to protect you.
Here’s an example. Last week dark web scan notifications went out, saying that personal info had been found in a hacked database from “data enrichment company People Data Labs.”
There is nothing whatsoever that you should do about that. You don’t have an account with People Data Labs with a password to change. You don’t know who they are. (If you did, you wouldn’t like them and you wouldn’t invite them to your parties.)
More to the point, there were no passwords in the hacked database. The exposed information included names, email addresses, phone numbers, social media history, and job history data. No passwords.
When you get a deep web alert, take a minute to look at the details. Is this new information from a recent hack? Are you familiar with the company that was hacked?
Don’t ignore dark web scans. It helps to get reminders to be paranoid and have good password habits. But don’t get excited about them, don’t pay for them unless you’re also getting other valuable services, and keep perspective on whether any response is necessary.