Shedding Light on the Dark Web

Man sitting in dark in front of bright white computer screen
Contributing Writer
member of Bellco Credit Union

2 minutes

Cybersecurity monitoring should now include seeing if your data is for sale.

Cyberthieves target money and data indiscriminately because data now is easily monetized on the dark web, reports Richard Crone of Crone Consulting LLC, San Carlos, California.

“Data is the new oil,” he says. “When a hacker can take over a supertanker, it’s a mother lode.”

Security monitoring should now include the dark web, recommends Brad Garland, CEO and head of business development at Vala Secure Plano, Texas. “The first indication that you’ve been hacked can be when your stolen data is listed for sale on the dark web,” he explains.

Even prudent CUs that think they are safe may already find member IDs and passwords stolen from them for sale on the dark web, warns Ray Murphy, chief information security officer at LEO Cyber Security, Dallas. “CU leaders have heard of the dark web,” he suggests, “but I’m not sure they know how much activity is going on there.”

The dark web is a veritable supermarket of fraud products and services, he reports. “There are all sorts of stolen data. There are also kits you can buy to help you use that data to steal money. For example, you can buy a denial-of-service kit or a ransomware kit. Or dark agents will even do it for you—you can buy fraudware as a service, do it in-house—as it were, or outsource it. It’s quite a well-developed marketplace.”

It’s not territory for the uninitiated. CU security pros need to be cautious about exploring the dark web to find out what exposures they have there, Murphy cautions. “If a credit union wants to know what data is available on the dark web, it should use a third-party service to acquire this information and reduce its risk to potential exposure.”

A few of the biggest players can enter that jungle successfully, Garland says, but most FIs need to leverage a third party to monitor the dark web for them. “There are services that will periodically search the dark web for your name or names of your members. It makes sense to do this, but not daily. That’s overkill,” he says. Two of the big players in dark web monitoring are Experian and Norton LifeLock.

Is it a risk that can be transferred with insurance? Ransomware insurance is the fastest-growing line for security protection, Garland reports, but it may not be the most effective. “The level of protection is vague,” he reports. “I hear horror stories about what insurers will and won’t pay.” cues icon

Richard H. Gamble writes from Grand Junction, Colorado.

CUES Learning Portal