We’ve all heard of the dark web, although few of us really know much about it. News reports tell us it’s where criminals buy and sell stolen personal information, such as credit card numbers, bank account passwords, even Social Security numbers.
No wonder credit monitoring companies have added “dark web monitoring” to their list of services. This fear of the unknown just might motivate people to pay $10 - $30 a month for identity theft protection.
But what can dark web monitoring really do for you?
Many people are making false assumptions about that, according to a new survey by the Consumer Federation of America (CFA). The survey found that:
- 36 percent of those who’d seen ads for dark web monitoring incorrectly believed identity theft services can remove their personal information from the dark web. (They can’t.)
- 37 percent mistakenly believe these services can prevent stolen information sold on the dark web from being used. (They can’t.)
The reality is: No one can erase the data that winds up in this underground cyber-marketplace or prevent it from being sold, exchanged or used.
“People are making assumptions that are natural, but incorrect,” said Susan Grant, CFA’s director of Consumer Protection and Privacy. “Dark web monitoring may be able to alert consumers that their stolen personal information is being offered for sale on the internet, but it can’t put the genie back in the bottle.”
The Consumer Federation of American wants companies that offer these services to do a better job explaining how they work and what they can — and cannot — do.
THE 411 ON DARK WEB MONITORING
The technology to scan the dark web was developed in 2006. The process, called “scraping,” allows a company to monitor hundreds of chat rooms, websites and peer-to-peer networks that deal with stolen personal identity information and download that data for analysis.
But here’s the part credit monitoring companies don’t tell you: Most of the stolen information being sold on the dark web is shielded from scraping software because it’s behind a paywall.
“There's no way a darknet scraper can find that data whatsoever. These services are completely useless, as far as what they do that for consumers,” said cybersecurity consultant Brett Johnson, a former cybercriminal who helped build the first criminal online marketplace.
Wonder if your information is on the dark web?
“It is,” Johnson said. “There's no need for an individual to pay for dark web monitoring to learn that.”
Dark web monitoring may be able to alert consumers that their stolen personal information is being offered for sale on the internet, but it can’t put the genie back in the bottle.
Susan Grant, Consumer Federation of America
IS THERE ANY VALUE TO DARK WEB MONITORING?
Neal O’Farrell, executive director of the Identify Theft Council, is a long-time critic of credit monitoring services. He calls dark web scanning “a smoke and mirrors deal” that was created by credit monitoring services to justify their monthly fee.
“They keep adding on these extra services that are truly valueless and don't go to the cause of the problem, which is vigilance, awareness, taking care of your own personal information, freezing your credit,” O’Farrell charged.
NBC News BETTER contacted two of the big players in this industry, Experian and Norton LifeLock. Executives from both companies insist their dark web monitoring is a valuable service because it tells people the specific types of personal information that’s circulating in the criminal marketplace — and how to respond to that.
“The fact that we give you step by step instructions about what you should do certainly does motivate the consumer to be more secure,” said Paige Hanson, Norton LifeLock’s Chief of Identity Education.
Dark web alerts can fight data breach fatigue, where people assume they can’t do anything to protect themselves, so they don’t, said Michael Bruemmer, Experian’s vice president of data breach resolution. “It’s that complacency that we’re trying to avoid.”
3 THINGS YOU CAN DO ON YOUR OWN
More than 14.7 billion records have been reported lost or stolen since 2013, according to the Breach Level Index, with 6.4 million more added to the list every day.
“With so much of your personal information already compromised, you need to be vigilant —always watching for warning signs of identity theft and doing things that make it more difficult for criminals to use the data they’ve stolen,” said Adam Levin, founder of CyberScout, which offers identity and data breach defense services. “You can’t simply rely on a monitoring service to do all the work for you.”
Here’s what you should be doing on your own:
Monitor your accounts
Check your credit card, bank and other financial accounts once a week or so to look for anything suspicious.
Supercharge your passwords
If they’re weak, create new ones — especially for your most sensitive accounts. And don’t use a password on more than one account. A free password generator and password manager can help make and store long, strong passwords.
Get a copy of your credit reports
You can get a free one from each of the big three credit reporting agencies — Experian, Equifax and TransUnion — every 12 months by going to AnnualCreditReport.com. (Note: You must provide your Social Security Number because that’s the way they locate your credit file.)
When you get the report, look for signs of possible fraud, such as: credit cards or bank accounts you never opened, a change of employer or home address that’s not right, or negative information, such as late payment notices, that are wrong.
Freeze your credit
By locking your credit file, you prevent criminals from using that information to open new accounts in your name.
“Financial identity theft is one of the most common forms of identity theft and a security freeze the single most meaningful thing you can do to protect your financial accounts,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center.
More Free Resources:
- The Identity Theft Resource Center just launched a free service called Breach Clarity that can help you understand the type of information exposed in a specific breach and what actions you can take to deal with it.
- Experian offers the Dark Web Triple Scan. You can use it for free, but Experian will try to get you to upgrade to its paid service.
- The website HaveIBeenPwned.com lets you check to see if one of your accounts has been compromised in a breach by simply providing your email address.