What’s lurking on the dark web?

You know how valuable your personal information, like your Social Security Number or your bank account numbers, is to you. But have you ever considered how valuable your information may be to a fraudster? Understanding the dark web is a key step in taking control of your personal information.

On the dark web — the marketplace for stolen data and personal information — a Social Security Number can be sold for as little as one dollar. Your login to a subscription service? That’ll set someone back $10. Your passport is a little steeper. Those can fetch as much as $2,000. The going rate for personal information in this shadowy section of the web may be low, but business is still booming.

Kelly C., from Seattle, says her information was sold to a local car mechanic in June 2018. “I was wondering if I had been hacked after I noticed some strange things with my online accounts, but I just thought I was paranoid,” she says. Data from her accounts later revealed that the hackers were local: one at a coffee shop across from her apartment, another at the college campus about two miles away. To this day, she still experiences the aftermath of her dark web experience: Her checking account was most recently accessed by someone in Nashville, her medical records have been modified (her doctors’ names have been misspelled and words have been left out), and her attorney is helping her apply for a new SSN.

Nearly fifty-five percent of respondents to Capital One’s 2018 Credit Protection & Security Survey said they have experienced some sort of financial theft or fraud. Many of those pilfered passwords and data points are bought and sold on the dark web, and it’s become increasingly important to keep track of your private information and know whether it’s on the dark web. But to understand the risks of the dark web, you first have to understand what exactly the dark web is.

Think of the internet as a vast hallway with a series of rooms, and each room contains a website. Most rooms are unlocked, and you can get in them whenever you want and leave just as easily. This is called the “surface web,” and it represents only a fraction of all the sites on the internet. Anyone can find these sites through standard web searches because they’re indexed by search engines.

Other rooms aren’t on the map, which means they don’t show up when you search for them, and, even if you do find them, you’ll need a specialized key to get in. This is the “deep web,” a section of the internet that isn’t indexed by those same search engines. It’s a private albeit ubiquitous section of the web. If you spend time rifling through your email inbox, editing your social media profile, or reviewing your bank information online, you’ve been on the deep web.

Other rooms in the hallway are completely hidden unless you’re using specific tools that let you see and access them. This is the dark web, and you can only get there if you’re surfing the web using an encrypted browser. The software works by bouncing your IP address all over the world. The website you’re visiting can’t tell your location and vice versa. While that anonymity might allow hackers to build open communication forums or newspapers to run drop sites for whistleblowers, it also provides cover for financial crimes. One project that mapped over 6,000 dark websites found that the third most common topic on the dark web included the keywords “card, credit, balance, buy, price.” Scammers can also join anonymous marketplaces in order to sell your personal information in complete sets called “fullz info.”

It may seem like the Wild West out there when it comes to personal information being swapped and sold, but there are several steps you can take to protect your information. Transaction alerts from your bank and credit card companies can help you track your transactions, and credit monitoring tools offer similar alerts when they suspect suspicious activity. CreditWise® from Capital One®, a free credit monitoring tool, will send you alerts when there’s activity affecting your credit report, or if your e-mail address or SSN appear on the dark web. CreditWise scans thousands of unsafe sites, hacking forums, and digital marketplaces on the dark web. It has uncovered millions of email addresses on the dark web, and has alerted their users so they can take action.

You can also take steps to bolster your security on websites that require personally identifiable information. Enable two-factor authentication on any sites that allow it so that simply having a password doesn’t allow a hacker to get into your account. (For example, your mobile carrier account will suggest adding a passcode or PIN to your account as an additional layer of protection. It’ll help prevent SIM swapping, a favored tactic among dark web scammers, which allows them to hack your mobile identity and gain access to your accounts.)

You can also transition from using passwords to “passphrases,” which are chains of words that replace traditional passwords. Passphrases are easy to remember, but much harder for computers to crack, which gives you another barrier against your information being posted to the dark web. And another rule of thumb to remember: Never use the same username and password, especially on your most critical accounts.

And if your data has already been compromised? Remain vigilant. Your first step is to change your most critical passwords, particularly for your bank accounts and primary email. Then check your credit bureau file and your bank statements for any odd transactions. Scan for any unfamiliar accounts, names, addresses, or phone numbers, and if you see something suspicious, call your credit bureau and consider putting a freeze on your credit reports. A credit freeze or a credit hold will prevent potential lenders from accessing your credit reports, and therefore halt fraudsters in their tracks before opening new accounts or lines of credit. Keep a watchful eye on your accounts, and set up alerts with a credit monitoring tool like CreditWise to help you keep track of suspicious activity.

The dark web may be a malignant part of the modern web, but that doesn’t mean you can’t be prepared if your information ends up there.