5

Prompted by this question. My take is that the security companies and banks that offer identity protection services use the phrase "dark web" as a scare tactic to get you to subscribe. And then when they say they don't find your info in the dark web, you are safe. My guess is that most if not all dark web sites don't even allow anyone to scrape for info. "Legitimate" users of dark web sites will have exclusive access to the data store there.

Do these security companies provide any value by "searching" the dark web?

Les
  • 443
  • 3
  • 9
  • What if they find something? They certainly can't just remove it, nor prevent it. How is that any *protection*? – Esa Jokinen May 17 '19 at 17:55
  • @EsaJokinen - the "protection" is that you now know your info is compromised and can take appropriate steps (i.e. alert credit bureaus, get a new credit card, whatever). A service *not* finding your info is no guarantee that you are safe, but a service that *does* find your info means you're definitely not safe. – dwizum May 17 '19 at 17:59
  • When it comes to credit cards, you can only know your information is there once you have bought it. If it was just a free database, no-one would take the risk from stealing the credit card numbers in the first place, without any profit. – Esa Jokinen May 17 '19 at 18:03
  • I can't really answer this question from a consumer perspective, but as someone who works in a financial institution, I can tell you that while there is a lot of white noise in the form of outdated info, missing or miscategorized data, etc. - we do find at least some value in the corporate versions of these services in terms of identifying customers of ours who have been subject to fraud or identity theft, and then taking action (placing fraud blocks on cards, reaching out to customers, etc). – dwizum May 17 '19 at 18:03
  • Or maybe they are actually buying the information, funding the industry. Sounds a bit ironic. – Esa Jokinen May 17 '19 at 18:05
  • 3
    A lot of this is just buzz words and marketing: https://www.troyhunt.com/making-light-of-the-dark-web-and-debunking-the-fud/ – AndrolGenhald May 17 '19 at 18:39
  • Hackers who sell or trade stolen information do so over IRC, email, etc. Not "dark web" sites. – forest May 17 '19 at 18:52
  • Dark web search aside, I can answer that question for you. If you're an American adult, your information is out there. Looking at the major breaches over the past five years, there's just no way it isn't. One popular infosec mantra is "Assume breach." This is true individually for your PII as well. – Xander May 17 '19 at 19:09

2 Answers2

6

This borders on being a scam. The "dark web" does not contain what people think it does, and it is not vast or all-encompassing. Hackers do not just randomly put stolen information on the dark web, and the overwhelming majority of underground transactions involving stolen data do not occur on it. What these companies actually do is scan public databases such as public leaks and Pastebin posts for certain keywords, and alert you if any are found. They use the term "dark web" for marketing reasons only.

Now, I'm not saying that these companies are completely useless or that they are never able to identify stolen information, but they do not do so by searching anything you would call the "dark web". In fact, it is so much of a buzzword that what they are doing now is no different from what they were doing before the term became well-known and before it became entwined with so much mysticism and FUD.

Xander
  • 35,525
  • 27
  • 113
  • 141
forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    Not to mention a lot of these services actually plug your personally identifiable information into search engines and websites with search functions. Some of them actually provide threat actors your PII this way. – Mark Buffalo May 17 '19 at 19:27
  • @MarkBuffalo That's very true. And, of course, they need to have your information in their own database, and who knows how secure they are? Just look at Equifax. They were ostensibly there to protect people! – forest May 17 '19 at 19:28
1

There are security companies that are connecting to the Dark Web(TM) * and gathering intelligence; however, they generally won't find your personal information on a shelf in a box with your name on it. Intel gathering is limited to browsing the marketplaces looking for new malware kits, fresh bases for sale, chatter in forums, botnets for hire, etc.

As you surmised, bad guys don't let you search their databases of stolen cards by card number or cardholder name. They have no incentive to make it easy for someone to figure out that their data has been stolen, nor where it was stolen from.

The most these security companies could do for their consumers on a large scale would be to monitor for new bases that claim "freshly stolen from MegaCorp", and alert all their subscribers who shopped at MegaCorp before they publish a breach notification.

* Dark Web generally means .onion sites, or sites accessible via secret knocks and invitation only.

John Deters
  • 33,650
  • 3
  • 57
  • 110