The Dark Web
Dave Hodgdonand Steve Ripper of PCG talk about the dark web, what it is, how your information and passwords get bought and sold, and what you can do about it.
Dave Andreesen: And it is Tech Tuesday, brought to you by PCG IT. For world-class IT service and customer support, go to PCGIT.com and the guys from PCG IT are here in the studio.
Steve Ripper/ Dave Hodgdon: Good morning.
Dave Andreesen: Well this morning, let’s talk about the dark web.
Steve: Ooooo.
What Is The Dark Web?
Dave Andreesen: Yeah, the dark, scary web. What is the dark web, for those of our listeners who don’t know?
Steve: So the dark web is… There are three webs. There’s the private web, and the private web is what we would consider the military, NSA, the government; private companies like Timberland, or IBM, or any of those. The public web is the web that we all use, that we’re used to, Amazon, Disney, wherever you’re going to go.That’s public web.The dark web is a place on the web where the less-savory people of the world hang out; it’s where lists are generated, it’s where passwords are kept, it’s where data goes. If you read all about these cybersecurity attacks and the data that they’re getting, that’s where they’re selling the data, on what’s called the dark web.
Dave Andreesen: Oh, okay.
Steve: You have to have access to it. You get access to it by going to forums. They’ll give you a password, you pay money, and you can get access to all of these things that have been stolen from other people.
Dave Hodgdon: I think of it as the mafia, it’s the bad side. We always look at the analogy of an iceberg and underneath the iceberg, under the murky waters,is where the bad stuff is happening. It’s about 4% of the web traffic, Dave.
Dave Andreesen: Really?
Dave Hodgdon: It is typically where the drug trafficking, the money laundering, the Bitcoin, what we call the P2 information where they’re trying to stealyour credit card, your driver’s license ID, your date of birth, your bank information, and once they have that, that’s where the momentum of how you can be breached happens.
The Black Market for Your Data
Steve: Think of it as a black market for all of this data, this black market for these stolen passwords, stolen credit card numbers.
Dave Andreesen: Okay. Is there a potential that my information is in the dark web?
Steve: Very high potential.
Dave Andreesen: Really?
Steve: Oh yeah.
Dave Hodgdon: Yeah. The average person, Dave, uses four passwords for 50 sites.
Dave Andreesen: What do you mean by that?
Dave Hodgdon: That you have one password. Say it’s Dave123! -you’re going to Amazon, you’re going to Best Buy, you’re going to your bank, you’re going towhatever. The average person will use just four passwords on 50 sites.
Dave Andreesen: Cause they’re easy to remember.
Dave Hodgdon: Cause they’re easy to remember. So now these guys on the bad side, once they think they have that one password, now they’re going to start fishing and looking for other areas where they can get to you. And they’re looking for the magic nugget and they’re just trying to get to your credit card, your banking information, and they want to wreak havoc on you.
Steve: And in many cases you’re on the dark web, Dave, but through no fault of your own. You signed in and created an account with a service like Fandango for movies, Dropbox, you name it.
Dave Andreesen: Yeah.
Steve: They get breached.
Dave Andreesen: Right, you hear about these security breaches every now and then, especially like with the credit unions when they…or the credit reports when those came out. So, basically my information is out there on the dark web and it’s just waiting to be used at some point.
Dave Hodgdon: It could be old data, too, Dave. So it’s been out there. They’re constantly selling it, as Steve said earlier. For $2 you can just buy these lists. But out of that list of a thousand names there might be one or two active, cause you probably are not using the same password. Now, at least I hope you’re not from four years ago. If you are… There’s a good chance that you could be.I had one of my clients that I went to and I ran the report, cause we can run the report for any company. And, weactually have a service that we run all the time for our clients. So if a compromise happens, we get alerted, we contact the customer, and it shows us the password, what they’re actually using. We ask them is this password still active? They say yes. At that point we get proactive and change their username and password on every site. That’sthe key, is being… The purpose of dark web monitoring is to prevent these bad actors to getting access to your data.
Using Your Credit Card Online
Dave Andreesen: Okay. Now that you sufficiently freaked me out here,and I never… I no longer ever want to go onto the internet or use anything that relates to a computer, how can I protect myself, especially my credit card number, because I use… I buy a lot of stuff online through Amazon or whatever, and a lot of… Pretty much everything is set up with your credit card now, your debit card. So how do I protect myself in a situation like that?
Steve: Well, don’t use the debit card online. Okay. You only use credit cards.There’s really functionally no difference between the numbers.
Dave Andreesen:Okay. What if I don’t have a credit card. How’s that? I don’t.
Steve: Okay.
Dave Andreesen: Can I use my debit card, still?
Steve: You can. The only difference, Dave, is that they both work exactly the same. But if you get breached, or someone gets your number, your money is being lost. In other words, you’re fighting with the bank to get your money back.
Dave Andreesen: Oh, I see.
Steve: Whereas if you use a credit card, their money is lost. They’re arguing with you to pay the bill and you’re like, “I’m not going to pay the bill.” That’s the only difference, but it’s a big one. If your debit card is directly attached to your bank account… If you are going to use a debit card, it’s a good idea to split your accounts out. Have an account where you’re going to just do web purchases and only have a certain amount of money in that account. So that if you do get hacked or the company that you’re dealing with gets a breach, they’re only going to be able to take whatever money out you’ve put in that account. Don’t have it attached to your entire savings.
Dave Andreesen: I see, okay.
Steve: That’s kind of a rule for that.
Dave Hodgdon: Steve brought up a good point is to always have thatone unique card with X amount of money to spend with a very unique password, and that’s where you do all your web stuff. That’s… You have to be careful out there. And these… You hear about the breaches daily, it’s ridiculous. And I think on an averageday, now we are approximately getting about six alerts per day that someone’s email, within our customer base, has been compromised.
Dave Andreesen: I know that credit card companies and debit card companies, they’ve tried to make things more safer by having that three digit code on the back, and then with the chip. Has it really made things safer? Because that three digit code, I’m sure that’s available now on the dark web.
Steve: So, they get all the numbers. If your credit card gets breached by a company, they’re going to get all of those numbers. Really, what the security code does is it allows the credit card company to track a little better where it went and who did it. That’s… It’s really a mechanism for them, not really for you. Another trick that you can use is just don’t save… Don’t have it save the credit card in the list. I know it makes things easier. It won’t protect you from a breach. When they have their credit card data on a database and they get breached, you’re losing that. But what it will protect you from is if somebody does get your particular password and they log in, they can’t make purchases cause they don’t know what the card number is. So, while it’s annoying to have to enter your card number in every time, every time you enter it in, think about you’re making that person who isn’t you have to do the same thing.
How to Stay Safer on the Web
Dave Andreesen: Okay. Besides the credit card numbers, what are some tricks to help me stay safer on the web?
Dave Hodgdon: Have multifactor authentication, so anytime you’re doing anything it’s confirming it’s you, Dave. So if you’re logging into a site with your email, it’s going to come back to you on your phone to confirm.
Dave Andreesen: We just got that here. We’ve got that now and it’s kind of a pain cause every time I want to log into my email I get a text message with a code.
Dave Hodgdon: I think it’s unfortunate what you need to do. When you just asked, how can you be safer, it’s that extra step that my phone now is my second mechanism, cause it’s unlikely the bad actor has your email and your phone.
Dave Andreesen: Right.
Dave Hodgdon: So I think multifactor-
Dave Andreesen: If you’ve been kidnapped, then you have really big problems, right?
Steve: You have much bigger problems than the internet. But, we tell people all the time… Everybody out there, corporations… Even if you’re not a member of a corporation or a company, or whatever, you should be turning on your multifactor for all –Amazon, your bank account, your mortgage account. If you have a… If you log onto your mortgage… Any of these accounts, you go into the security section and it will –most of them, not everybody does it, they should, and you’re going to see more andmore of it in 2020, 2021, going forward –go into the security section and choose the option for two factor or multifactor. They call it either/or. And you’re going to link your phone to your account.Whether you do it through a text message, or you do what’s called the Google Authenticator –it’s an app that will allow you to press a button to get in –but what you’re doing is you’re making sure that even if your password gets hit, gets stolen by somebody, they cannot log into your account cause they also don’t have your phone. It’sannoying, Dave, itabsolutely is. I have like nine things I have to do it for, but you have to do it.
Dave Hodgdon: The other thing, Dave, is there are services you, as from a consumer, there’smany services you can buy for an email compromise. As an organization, we use a company called ID Agent, which is geared toward more of the business operations. But there’s many services you as a consumer can use and if your name was breached, it’s being alerted. It’s letting you know, and then you’re being proactive.Just because they have that information doesn’t mean they’ve got into something, but they might have the ability to eventually get into something cause that password could be aged out. Butonce they’re in they’re going to start fishing everything they can about you. So you want to be very diligent about your P2 information, giving out your date of birth…I had a company… My lawyer was calling me for my password. There was no way I was going to email or text it. We played voicemails back and forth. In the old days I would just, sure, here it is, it’s sticky paper. You give it to somebody. You have to be very careful who you give your information to.
Dave Andreesen: Sure.
Steve: And then many… The other thing that people can explore is many banks will offer fraud management protection or fraud monitoring. Some of the bigger banks, but even the credit unions, you can look into that, sign up for it. They’re going to watch the purchases and they’re going to… If you have purchases… You’re here in New Hampshire and you’ve got purchases in California. Someone got your credit card number and they’re ordering food from Postmates or delivery food from one of these services. They don’t even have to see the person. The bank will, sometimes you don’t even notice, the bank will contact you and say, “Hey, how are you purchasing something in California when you’re in New Hampshire?”What a lot of the hackers will do when they get your credit card number, they won’t put a very large purchase. They’ll put small purchases.
Dave Andreesen: Right.
Steve: You don’t even notice them. $20 here, $30 there. That’s what you’re doing. You don’t notice it. So there’s fraud management and they’ll help you with that. So you should look into it.
Dave Andreesen: Okay.
Dave Hodgdon: You’ve got a few other things you can be thinking about –a password manager. Do you use a password manager?
Dave Andreesen: No.
Dave Hodgdon: Okay, so there’s plenty of onesout there: LastPass,KeePass, we use a product called MyGlue. But having a password manager that keeps these-
Dave Andreesen: Like an app on your phone?
Dave Hodgdon: An app on your phone.
Dave Andreesen: Okay, I do have one of those.
Dave Hodgdon: You want these things to becomplex. I always look at the dark web. It’s like Santa’s bad list. You don’t want to be on Santa’s bad list.
Dave Andreesen: No, definitely not.
Dave Hodgdon: Once you’re on that bad list, you’re getting the call and it’s… The more you look at the forums, you look at the statistics, it’s scary under the dark web. And, as Steve said, 90% of it’s the public web, what we’re normally doing. But there’s always going to be the bad guys and it doesn’t matter what industry you’re in, but that’s where they are living.
Dave Andreesen: Absolutely. Well, I never had anything happen to me, knock on wood, but this is some good advice for all of our listeners here. Not just businesses but also on the personal side. So you guys won’t be here for next Tech Tuesday, but I want to wish you both Merry Christmas.
Steve: Merry Christmas.
Dave Hodgdon: Merry Christmas.
Dave Andreesen: We’ll be seeing you in the new year and be careful out there. We’re getting some snows. And Dave, be a good boss and close the office if you have to.
Dave Hodgdon: The dark web stuff is easy as a consumer. Just search it up. There’s services you can run. And if you’re a business, and you want to know if you’re at risk, we’ll offer a free service. We’ll run your business on the dark web and see if there’s any breaches. Typically, anytime we see a new prospect, Dave, we run it. There’s three or four people on that business. It’s usually the owners, or management, cause their email has been out there for a while, so call us up on that. We’d love torun the report on you.
Dave Andreesen: All right, great. Thank you. Gentlemen.
