What is the dark web?
The dark web is a portion of the internet that isn’t visible to search engines and requires the use of an anonymizing browser called Tor to be accessed.
Most of the internet you use is called the surface web or clear web. These are indexed and generally easy to find public facing websites.
The deep web is internet content that is hidden behind some kind of authentication mechanism and not indexed. This could be medical records, fee based content, membership websites, web based email, and confidential corporate web pages.
Why should I be concerned?
There are some good use cases and many bad (as in illegal or nefarious) uses for the dark web.
Let’s start with the good. Anonymous and hidden web content can be good for free speech for people like journalists who live in countries that monitor web traffic. Countries like China openly spy on internet usage by their citizens. VPNs and Tor anonymizing browsers can help get news stories out to the rest of the world in a covert manner.
Now for the bad. The dark web is great for hiding illegal activities. Nearly anything can be bought or sold on the dark web. You can use your imagination for the types of merchandise or services that are available. What I want to focus on for this blog post is personally identifiable information (PII). Names, addresses, email addresses, social security numbers, credit card numbers, etc.
What tools are available for me?
There are commercially available products that I generally do not recommend. These are often pitched as “dark web monitoring” services. The problem is dark web monitoring is only as good as the data the monitoring service knows about. This is a problem for the dark web as it is designed to not be indexed, monitored, or discovered. What might be worth it for you is any legal services or other help they may provide in the event your identity is taken and used. This is more like headache insurance. Dark web monitoring is a detective control, not a preventative one.
In place of paying somebody to look for your data, I suggest looking yourself and doing better at protecting your accounts. Haveibeenpwned.com is a website anybody can use to look to see if their email address is associated with a breach. Another good website for this is dehashed.com. These websites compile and index data from known breaches and allow you to parse to see what’s been exposed.
What does Tyler recommend?
If credit or identity theft is of concern, you can lock your credit with the 3 major credit bureaus. This will create some extra hoops to jump through when applying for a loan or credit card, but it is a good preventative control to prevent unauthorized credit accounts being taken up in your name.
Your password hygiene is very important. I highly recommend using a password manager such as BitWarden, LastPass, 1Password, etc. Do your research and pick a good one that fits you and your family’s needs. Many of these password managers include features to search and see if your chosen password has been compromised. This will help any password reuse issues that may occur.
Turn on Multi-Factor Authentication anywhere you can! This defeats an attacker many times because they might know your password, what they don’t have is the thing you have that lets you in. Many times, these are tokens like physical RSA tokens or apps on your phone like Microsoft Authenticator or Google Authenticator. I love my Yubikeys and the added security they provide. Another factor could be “something you are” such as a finger print, retina scan, facial scan, or palm scan. I know some of the authenticator apps use face ID to unlock the authenticator app effectively giving you tri-factor authentication for the service you’re trying to authenticate to. That would mean an attacker would need your username/password (something you know), your face (something you are), and the token generating app (something you have). I will add that SMS text message can be something you have as well. If that’s the only option available, use it as it’s better than nothing, but a token is much more secure. SMS is attackable with SIM exploits for the cell phone network.
If privacy is of concern, there are paid VPN services that can help while you’re on a public network or if you don’t want your ISP being aware of your activities. NordVPN, ExpressVPN, and SurfShark are some example services. A VPN works by encrypting your traffic so that anybody who might intercept it wouldn’t be aware of what it is you’re doing.
As far as social media, be careful about what information you share. A silly quiz might be providing answers to your accounts challenge questions!
Protecting your banking information is a bit more difficult. You have debit and credit cards that you use for merchants all over the place. One idea I have is pretty simple: use cash. This has an added benefit of being more profitable for the merchant as they don’t have to pay credit card processing fees. Another idea is if you’re paying for goods or services and you don’t trust the merchant is to use a gift card. This will limit any debits to that card to the amount that is on the gift card. If you carry debit or credit cards around, I recommend a wallet that blocks RFID. Another option is to use Apple or Google Wallet to virtually store your cards and limit what you carry on you personally as a physical card. Lastly, credit cards generally offer more protection from fraud than debit cards do. When travelling or using unfamiliar merchants, a credit card might be the better choice in the event you need to dispute a charge. If travelling to an area with increased crime, it might be a good idea to carry a burner wallet. Put a gift card and a small amount of cash in a separate wallet. This way if you are robbed, you give the robber your burner wallet with a small gift card and amount of cash and not access to your bank linked debit and credit cards.
If keeping your email address private is a concern of yours, Apple has released a feature that allows for the anonymizing of your email address. There are other services available that provide burner email addresses. They will create a throw away email address at the time of account sign up. This will keep your real email address out of any breach data in the event the service you are signing up for is compromised.
The dark web is nothing to be scared of if you manage your credentials and identity data in a secure manner. To be honest, I don’t hunt around on the dark web. There is nothing there for me. There’s enough trouble out there for me to not even want to be considered being associated with dark web activities. I’m not one to push buttons, boundaries, or take unnecessary risks. Even out of curiosity. I’ve heard of stories like Kevin Mitnick who went to jail for many years for education curiousity.
Don’t reuse passwords, turn on multifactor authentication, and be careful what you trust on the internet.
Stay safe out there, my friends!