The dark web is gaining notice, on screen, in the news, and during every major data breach. That’s because the dark web is where data goes to be sliced, diced, and — most of all — sold.
Despite varying definitions, the dark web basically is content that’s available on the internet via layer upon layer of encryption that is aimed at making it nearly impossible to track and identify users.
Typically accessed by popular routing tools like Tor, the dark web is both a place for internet freedom ― for instance, among political activists ― and for matters dark and dirty.
Users of the dark web make up a wide stratum of humankind that span from researchers and law enforcement to child exploitation criminals and stolen information brokers.
“Users of the dark web make up a wide stratum of humankind that span from researchers and law enforcement to child exploitation criminals and stolen information brokers,” says John Buzzard, fraud specialist with CO-OP Financial Services in Rancho Cucamonga, CA.
For the latter, “the dark web is the getaway car and illicit flea market rolled into one,” Buzzard says.
As a marketplace, the dark web is easy to use, fast, and efficient, says Jim Stickley of Stickley on Security in San Diego, CA.
5 Security Controls With Great Impact
Rob Johnston, chief risk officer for banking and payments and head of enterprise risk programs at FIS, recommends financial institutions set up multiple layers of defense throughout their IT environment as well as provide security awareness training for all employees.
To implement a robust, layered defense program, a good place to start is with the FFIEC’s Cybersecurity Assessment Tool. Johnston also recommends checking out the 20 Critical Security Controls for Effective Cyber Defense, available for download from the Center for Internet Security.
SANS also offers the following list, which Johnston calls “a great starting point of the controls with the most impact.”
First Five Quick Wins:
The use of standard, secure system configurations.
Patch application software within 48 hours.
Patch system software within 48 hours.
Reduce the number of users with administrative privileges.
“The FFIEC Cybersecurity Assessment Tool and the 20 Critical Security Controls for Effective Cyber Defense are great places to start for credit unions wanting to protect themselves from major cybersecurity threats in 2017,” Johnston says.
“There are many websites on the dark web that have a similar feel to Amazon,” he says. “You can compare prices, read reviews, see pictures and examples, and even place items in your cart for purchase. [It’s] quick, simple, and low-risk.”
The Tip Of The Iceberg
Most of the data on the internet could be considered part of the dark web.
The term ― often used interchangeably with “dark net” ― can apply to anything that isn’t found or directly accessed via surface search engines such as Google and Yahoo, or in the deep web, accessible by traditional registration and login.
“The websites we browse each day make up only a small percentage of the internet,” says Katie Toren, director of marketing at Owl Cybersecurity in Denver, CO, which specializes in indexing dark net data for clients in multiple industries, including financial services. “Beyond the surface web, the majority of online content is found in the deep web on the dark net.”
Toren says business-relevant data her firm typically sees on the dark net includes personally identifiable information, stolen credit cards, protected health information, leaked company financials, other proprietary corporate information, counterfeit documents, and chatter about attacks, breaches, viruses, and other malware.
Credit Union Data In The Dark Web
“We’ve observed credentials for online credit union and bank accounts in dark web marketplaces,” says David Shear, security researcher with SecureWorks, an Atlanta-based cybersecurity company.
He says the data shows up in public posts on dark web marketplaces as well as in payment card shops, those underground sites that sell stolen credit and debit card credentials.
Indeed, card data is widely available in the dark web, the experts say, and it’s often for sale to the highest bidder.
Criminal organizations are using the dark web to sell credit union account information.
Jack Lynch, chief risk officer at PSCU in St. Petersburg, FL, says auction sites allow bidding on card accounts, card BIN ranges, and entire programs. EMV-enabled cards now go for less than mag stripes — meaning risk rises as EMV adoption grows — and higher-limit cards attract higher bids.
And credit unions are not immune.
“Criminal organizations are using the dark web to sell credit union account information,” Lynch says.
Hacker groups also use this netherworld to share information such as attack codes and what works against a specific target.
“These are not just individuals sitting in their basements on a computer,” Lynch says. “These are large criminal organizations run like standard businesses in various parts of the world.”
The best candidates for your cybersecurity needs are a click away. Begin your search with the Callahan & Associates online Buyer's Guide.
Indeed, dealing with the dark web is not for beginners. Although it’s not particularly difficult to access, the pitfalls are plenty. Fraudsters set traps to use stolen credentials against the unaware. And there’s the deliberately complicated nature of the dark web itself.
“The dark web is not for amateurs,” says Buzzard, the CO-OP fraud specialist.
What’s Ahead In 2017?
The dark web is a depository and marketplace for stolen data that gets there through evolving and traditional deceitful means.
“The major threats for 2017 will continue to circle around phishing, ransomware, unsecured web-connected devices, and nation state antics,” says Sean Feeney, CEO of DefenseStorm, a Seattle, WA-based provider of cloud security services. “The tools around these threats continue to evolve and become more commercialized. Furthermore, the ease with which they can be deployed means the field of attackers will only widen.”
In the financial services world, that means doing more of what works.
“From a credit union threat perspective, we’ll continue to see a major focus on multiple types of phishing targeted at tricking users into giving up their user credentials, many of which carry access to sensitive member information,” says Gene Fredriksen, chief information security officer at PSCU.
From a security perspective, working together is the way of the future. Credit unions seem to already do that.
Fredriksen says although EMV adoption has lowered card-present fraud, PSCU still sees a 40% compound growth rate in malware, threats, and attacks year-over year.
“This growth is why ensuring your credit union has a source for actionable intelligence is important,” he advises.
Fredriksen adds he expects criminals to continue their focus on attacks that are cheap to execute (email), have high return (actual user credentials with access to account information), and low-risk of getting caught (the dark web, with its onion layers of obfuscation, lends itself to that.)
Light At The End Of The Dark Web Tunnel
Credit unions can use their findings on the dark web to both protect and inform their members. For example, they can use dark net discoveries as early alerts and let members know if their email address and credentials pop up in a marketplace for purloined data.
“Tell them: ‘Hey, we found this, and you should probably reset your passwords,’” says Toren at Owl Cybersecurity. “If it’s the credentials for banking at the credit union, you can force password resets.”
Don't reinvent the wheel. Get rolling on important initiatives using documents, policies, and templates borrowed from fellow credit unions. Pull them off the shelf and tailor them to your needs. Visit Callahan's Executive Resource Center today.
The natural tendency of credit unions to share information as a whole also could give the movement a leg up, Toren says.
“We’ve included credit unions in our platform trials and I was struck by how open they are about sharing information,” she says. “The big companies don’t even talk to one another. But from a security perspective, working together is the way of the future. Credit unions seem to already do that.”