First Published on 7th July, 2017
Everything isn’t illegal on the “dark web”, but it is a marketplace where nefarious transactions related to stolen personal data for further unlawful acts take place. So how one remains anonymous, explores Ai’s Ritesh Gupta
Questions related to safety of our digital assets and related IDs – be it for a banking app, email account, frequent flyer program and other accounts like Facebook, Twitter, LinkedIn etc. – do concern us from time to time. It isn’t easy to remember passwords for all accounts, and when you end up having the same password for all, then edginess does grip us. What if this all-important password gets stolen?
As consumers, we seek simple logins and frictionless shopping. Should we be more patient? Well, in reality, consumers don’t wait. The idea of answering “security questions” or authenticating something by clicking on a link by logging in another account isn’t appreciated much. So this puts tremendous pressure on the entire digital commerce fraternity.
But, the fact is, the danger of being hacked or being a victim is seemingly getting stronger.
Critical data such as login IDs and passwords garnered by hackers are traded on the dark web. Such credentials are then exploited by cybercriminals for account hacking and online shopping.
Dark web – what is it?
When one reads about what can happen on the “dark web”, it becomes clear that this part of the Internet can’t be reached with the normal tools. Dark web is described as a collection of sites and these can't be indexed by traditional search engines. Also, these can't be opened by using traditional browsers.
It doesn’t come as a surprise when one reads or hears about trading on the dark web, be it for your PayPal account, email id, credit card information etc. – everything has a value.
But, a statistic like an identity getting stolen in two seconds, is menacing. Also, it is being pointed out that it is tough to keep track of the flow of money on the dark web.
It is said that owing to encryption, users can visit dark web websites anonymously. These sites exist within the so-called deep web. Content in the deep web is not automatically or fully concealed or anonymous, but it cannot be indexed in a manner as the surface web can be done. As for the dark web, it is a part of the deep web that is intentionally constrained and closed unless there are precise tools to get in.
So how to get in?
I stumbled upon a post by Brett Johnson, who initiated AnglerPhish Security three years or so ago, sharing information as “a former cybercriminal to combat the very crimes he once committed”. He referred to functioning of the world of dark web and emphasised upon the significance of remaining safe while accessing it.
Johnson shared that accessing the dark web requires particular software, and the most common is TOR. It is used for online privacy. Johnson asserts “criminals love the TOR network” and if “properly used, it provides near bulletproof anonymity”. According to torproject.org, it can’t solve all anonymity problems and focuses only on protecting the transport of data. “You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Tor Browser while browsing the web to withhold some information about your computer’s configuration,” states torproject.org. “Also, to protect your anonymity, be smart. Don’t provide your name or other revealing information in web forms.”
Anyone who is out to there to fight cybercrime needs to be wary of accessing such marketplace. There are details related to what needs to be done before using the TOR browser. According to dailydot.com, shut every open Internet program, use the VPN protocol to link up to a place considerably away from where one resides. Doing this would mean that the current ISP won’t make out the usage of TOR, and the TOR entry node won’t be able to know the true IP address. One needs to access .onion sites on the TOR network in order to reach out to a marketplace.
What about catching culprits?
Not many cases are reported, but last month, the German police reportedly arrested the alleged administrator of one such marketplace from where a gun was purchased and used for last year’s shooting in Munich.
But the dark web isn’t disappearing. It has triggered various incidents of fraud. The list features point-of-sale attacks and also been behind other malicious developments, say a malware. Payments to sellers can be done via bitcoin in order to ensure details of the transaction don’t get disclosed.
According to a study by Equifax released earlier this year, websites that deal in file sharing on the dark web account for 29% share and leaked data 28%. Travel e-commerce companies are already looking at ways to curb the stealing of air miles, loyalty points etc. This is in addition to other illegal items.
Companies need to be wary of what can result in data theft and security lapses.
Airlines and travel e-commerce organizations need to be vigilant and be aware of where their sensitive information is stored. There is a need for stronger access or password controls (for instance, no passwords for mobile apps, rather a local authentication mechanism such as a fingerprint, PIN or face/voice recognition. Plus, a password complemented by a second factor), availing options such as public key cryptography to create secure authentication credentials etc. Companies including Facebook highlight that using security keys for two-factor authentication provide phishing protection since there is no need to enter a code and the hardware provides cryptographic proof in the machine, interoperability i.e. the same key for any supported online account, and fast login.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us