Why finance should be terrified of the dark web

In part one of this conversation with Emily Wilson, vice-president of research for Terbium Labs, we explore how the dark web creates a “fraud economy” that amplifies the cyberfraud risk that finance departments face; how companies and their data is at risk, even if they haven’t been breached; and how to identify whether your data appears on the dark web. In part two, Wilson discusses how to mitigate the fraud risk of the dark web.

What you’ll learn from this episode:

• What the dark web is and isn’t.
• How the dark web amplifies fraud risk for finance departments.
• Why the “fraud economy” is here to stay.
• Why your data may be at risk, even if your company hasn’t been breached.

Play the episode below:

To comment on this podcast or to suggest an idea for another podcast, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.

---

Transcript:

Drew Adamek: Hello. And welcome to the Financial Management magazine podcast. I'm senior editor Drew Adamek, and today I'm speaking with Emily Wilson, vice-president of research at Terbium Labs, about what finance departments need to know about the dark web and how it amplifies your fraud risk and how your company can be vulnerable even if you haven't been breached.

I spoke to Emily at a recent conference, and this is part one of our conversation. Please check back wherever you get your FM podcasts for part two.

Emily, thank you so much for joining us.

Emily Wilson: Thank you for having me.

Adamek: The dark web seems like one of those things that everybody knows about but doesn't really understand. What exactly is it?

Wilson: You're right. I think in recent years I've certainly seen that we've moved away from no one knowing what the dark web is and having never heard of it to everyone's now heard of it for one reason or another.

At a fundamental level the dark web is just another part of the internet, but the technology that supports and underpins the dark web allows for increased anonymity, user obfuscation, and all of the things that are very good for privacy and security, which also means that they're very good for criminals.

The dark web is a part of the internet that is home to some pretty pervasive criminal communities, to criminal marketplaces that have a lot of familiar infrastructure. We're talking about places where you can go buy drugs and software and stolen payment information that look just like you're shopping on eBay, and that's a part of the dark web that I tend to focus on — what I've come to call the fraud economy on the dark web.

Adamek: And how is that different from a layman like myself who has no understanding of … how is that different than say Yahoo.com or Amazon.com?

Wilson: So with those websites what you're referring to is something that we often hear called the clear web or the clear net — the surface web. And this part of the internet is part of the internet we all use every day. You can use any browser to access it, you can get to it on your phone or on your laptop, and you can find it on Google. That's the clear web.

There's sort of a middle ground here if we think of the internet as sort of existing in three tranches. There's a middle ground here called the deep web and the deep web and the dark web often get used interchangeably. They're a little different. The deep web is also a part of the internet we use every day, but you're not going to be able to find that content on Google.

You don't need any special technology like you might do with the dark web and what that looks like is, for example, if I log into my bank account and I see my account summary page that's the deep web. You can't get to that page on Google — at least not if my bank is doing their job right — and you can imagine we hear about how the deep web is exponentially larger than the rest of the internet.

The clear web is just the surface — it's 1% of the internet we see every day — you can begin to imagine with an example like a bank account. All of the pages that you can only see when you're logged into a certain account how many those are and how many people have bank accounts and how many businesses have bank accounts, social media accounts, email accounts, financial services accounts, insurance accounts — all of these accounts that we have online those might be behind logins.

Similarly with corporate networks. We have a corporate network that I have to be on a certain VPN to access or on a certain network to access. That's part of the deep web.

Then there's the dark web. The dark web you do tend to need special technology to access. It's technology that effectively says, "Yes, this person is allowed to access this network."

One example of that is Tor — T-O-R — the Tor browser and the Tor network are two of the more popular and well-known dark web networks. You can download the Tor browser online — you just go to the Tor Project website, download it. Congratulations, you're using the dark web.

The browser is software that effectively tells that dark web network that this person is allowed to access these websites that you wouldn't be able to access on a regular network. And on those websites, the technology itself provides anonymity and obfuscation. It masks user traffic as going through a variety of different locations and there's a lot of encryption involved, and so you have users who can use this technology to browse without anyone knowing who they are or where they come from. They can hide. Very good for privacy and security, very good for criminals.

And then within that network you have sites that are hosted on that dark web network the same as you would have internal company pages hosted on your internal company network.

And some of those are perfectly legitimate. The New York Times has one. Facebook has one. But criminals also have them, and this is a very popular place for these major criminal marketplaces to settle in because all of the same obfuscation technology that allows someone who lives in a country that blocks access to certain news sources also benefits criminals who want to make it a little bit harder for people to find out who's selling fentanyl or stolen credit cards.

Adamek: And the structure of the dark web how does that drive what you call the fraud economy?

Wilson: It's easy to imagine that fraud is kind of a back alley shady deal that we think about criminals in one-off fraud issues in the world of investigations, right? You have an individual at your organisation who's committing fraud. You have a fraudster who's stealing people's mail out of their mailboxes.

The dark web — the technology and the infrastructure that people have built up on this part of the internet has allowed for a high volume of data to be hosted and leaked and sold to a variety of different criminal communities, and that allows fraudsters to create these scalable business models. We're not talking about one person with five stolen credit cards; we're talking about entire networks with tens of thousands of stolen credit cards.

And this is an economy because we see vendors who are competing for market share. We see people who are offering customer service, We see people who are trying to differentiate themselves amongst their competitors. There are set goods and services for personal information. There's this list of things you can expect to see for financial data. There's this list of things you can expect to buy, and prices are largely driven by the market.

There's enough supply that it's driven prices down except for highly differentiated goods the same as we would see in a traditional economy, and there's plenty of demand because fraudsters have found that this is incredibly lucrative. You've taken fraud and you've multiplied it ten times over, and you've added technology that makes it very easy and very fast and, in some cases, very automated.

So it is an economy and we need to change the way we think about the scale of fraud to adjust to that concept.

Adamek: Now for my audience of financial professionals working in finance departments, what is the kind of data that they're working with that may show up on the dark web and how is that being used once it does show up on the dark web?

Wilson: There are two types of data that I would call your audience's attention to. One, of course, perhaps obviously, financial data, and this could come in the form of stolen payment cards, credit cards, debit cards, which include both personal and corporate cards — those are incredibly popular. There are dedicated markets that are built around nothing but the sale of those cards and sell in bulk. These carding markets offer wholesale discounts. They have holiday sales.

In addition to payment cards there are of course bank accounts — very good for laundering money. Depending on the balance you're looking for in whatever account you want to buy, whatever stolen account you want to buy, you might pay a little bit more, but we're talking about the difference between $10 for an account that might have a $500 balance up to $80 or $100 for an account that might have a $500,000 balance — really this is pennies on the dollar here.

In addition to bank accounts there are also payment processor accounts — your PayPal, your Western Union, these sorts of things.

There are also guides about how to open these kinds of accounts and how to use them. There's a lot of institutional knowledge building in this criminal community.

If you're looking for a step-by-step guide on how to open a fake business account and then commit tax fraud, the dark web can help you with that. That covers sort of the financial side.

But personal information is really important and account credentials in particular. I talk to our customers, I talk to people in the industry, I come to conferences, and I talk to people, and they have this list of things that they're worried about and I say, "OK, you need to be worried about having your credentials exposed. How do you think they're going to get access to that information?" Most often it's things like business email compromise. It's things like phishing. it's things like account takeover.

You know, there's a very limited market for something like intellectual property or financial projections or M&A activity or payroll records, but there's a big market for credentials.

The other thing to think about for credentials, you know, we live in a world where even if it's not your breach it might still be your problem, which means that you as an organisation deal with the fallout from breaches that impact all of your employees and all of your customers.

Of course customers are not just your customers they're customers for a number of other institutions, retailers, and organisations. But especially for your employees when we think about problems with password reuse that means that if your employee got caught up in a social media breach from five years ago, but they're still using the same password, eventually that's going to work its way downstream and if they're using whatever user name and password or a variation of that from that social media account five years ago for one of your corporate accounts that's very bad news for you.

Criminals want something that's going to be easy to access. They work with what's right in front of them in many cases. There are targeted attacks — businesses need to be worried about those, especially high-profile businesses. But for your average business they're facing just as much risk from some third-party breach that had nothing to do with them where you have employees who are using the same versions of usernames and passwords because eventually if you're a criminal you get your hand on an email address and a password with no sense of where it came from, which is incredibly common on the dark web. There's not always attribution; there's just a lot of data, which is why a company should be monitoring for their data and a little bit less for their brand exclusively.

If you get that email and password and you don't know where it's from, what are you going to do? You think about all of the most popular services. You're going to try all these banks. You're going to try all of these entertainment services. You're going to try all of these retailers. And eventually you're going to find something that sticks, and then you can build out from there. You exploit one account, but why would you stop there?

If it's an Amazon account, for example, great, now you've got a home address. Maybe you have a business address. Who are they on LinkedIn? What kind of role are they in? Oh, interesting, they might have access to good data.

And it can take months or even years for these sorts of things to develop because information gets leaked and releaked, sold and resold, remarketed under a new brand, and businesses have to deal with that on all fronts. Think about that for every employee you have. Think about that for some of your high-profile customers. It starts to build up really quickly.

Adamek: What are the broad trends that you're seeing in data breaches, data exposure, showing up on the dark web?

Wilson: It's a mixed bag. When we hear about some of these major breaches — these hundreds of millions of records breaches, which is happening every other week at this point, unfortunately. Our concept of a milestone breach has changed. It's come a long way from something like OPM (US Office of Personnel Management) or the original Yahoo breach — one of the original Yahoo breaches.

Some of those major breaches do show up on the dark web. Sometimes it takes four or five years. I think about the LinkedIn breach. That didn't show up online until years after it happened, and it was a pretty big surprise to everyone at that point.

There are things like Equifax where right after the Equifax breach, I got questions left, right, and centre, "Is it on the dark web? Where is it? Are you seeing it?" No. Plenty of scammers popped up with a one-time website saying, "Hey, send me $5,000 in bitcoin and I'll send you the database." They didn't have it. Everyone's surprised when a dark web full of scammers is scamming people.

And then there's this other category, which I've been seeing more of lately, and I've also seen it make its way into mainstream news which is big collections of data from a variety of different sources and what makes the news is that there's a big collection of data circulating around.

Your listeners might remember from a few months ago — and if not I would encourage them to take a look — something called Collections One through Five or Collection Number One. This was a headline about billions of credentials from a variety of smaller breaches floating around the dark web, and you couldn't go onto a criminal forum without tripping over it.

And so here you have breaches from a bunch of different services — some of them out of Eastern Europe, some of them services that we rely on — and it's not really clear when these breaches happened, it's not really clear where it came from. It was just somebody who had been going around the dark web collecting up all the little breaches and storing them and creating their own compendium of data and then, here I've packaged this nicely into one — realistically several — there was quite a bit of data — one nice, neat little download for you to go and you have data that's five or six years old and some of it's still good.

Credit card numbers, payment card numbers — if those go bad we can change them. We can close the account. We can reissue the card. The most annoying thing is having to go in and change the billing information for your Netflix account.

If you have something like a password once you know there's a problem you can go in and reset it. You may not know there's a problem. It's going to be a little bit harder than a credit card, but you can at least go in and change it.

Other things: lifetime data. Things like Social Security numbers or other government-issued ID numbers, things like a home address, date of birth — some of those you can't change and some of them you're not going to change. You're not going to move because you were caught up in a data breach, which means that address is still valid with your information, potentially for the rest of your life.

And I think we're starting to see people understand that the potential consequences from these data breaches have changed. The sheer scale of data that's been exposed. I think people are beginning to understand just how bad this problem actually is, and that's just for the breaches that we know about.

Adamek: So you talk about this shift in consequences. That must then require a shift in mindset. What does that look like?

Wilson: I think the first shift is to — and I think we're making progress here but we need to come all the way — is to shift away from "Have we had an incident? Have we had information exposed?" to "How much of our information is out there, and what of our information is out there?"

An organisation can have the best security posture they could possibly afford and then some. They can be perfectly in compliance with the regulations in their area, and they can still be exposed because they share their information with a variety of third parties, who share that information with third parties — the nth party data breach problem. And again their employees work for them, but they're also consumers. They also belong to organisations. They're customers. They're board members. They're partners. They're investors.

There's so many potential risk points here you have to start thinking about what information has been compromised and what do we do about it.

The other thing that I've been hearing from people in that field is starting to think about where regulation is going, where legislation is going, because there's certain things I think organisations should begin to do now, including taking stock of the information that they hold, getting a sense of their exposure, getting a sense of what sort of risk they face from their exposure.

Because it's very easy to say, "OK, we had a data breach," or "We got caught up in a third-party data breach and now we are exposed," but what does that mean? Is it mailing addresses for your third-party contractors? Is it phone numbers for corporate lines that you're not using anymore? Is it the email address and password for your CFO or your CEO or your head of sales? Is it the home address and a threatening message for one of your board members because of a political donation? We see those types of things.

So it's not enough to understand just what information is exposed but what does it mean?

And then start thinking as we look at the future of regulation and legislation depending on where you live, what you may already need to be in compliance with, but what sort of duty of care might you have to your customers or your consumers? What sort of expectations do you see on the horizon? Do you want to wait to be incentivised by one of your biggest competitors getting some sort of massive fine? Or do you have an ethical responsibility to start to take your data seriously?

Data is a commodity. Data is incredibly valuable. We have a data economy now, and there's a fraud economy that's building off of that. Businesses should start to think about that.

And the last thing I'll say here — this is a conversation I've also been trying to have a lot more recently — fraudsters value data a lot differently than companies do. And there's a big disconnect there and the fraudsters benefit from that confusion. They love confusion. They rely on it. They hope that you're busy with eight other things.

Businesses worry about sensitive information — what they think is sensitive. They worry about mission-critical information. They worry about proprietary data. They worry about things they don't want their competitors to know. They worry about ethics issues and human resource issues. They should. Those are very important for operations. Those are very important for advancing in your industry. But criminals don't care. That information is not profitable for your average criminal.

Criminals want something they can monetise. They value data based on its potential for monetisation. "How much money can I make from it, and can I use it again?"

With that in mind things like credentials become incredibly valuable. Things like contact details can be incredibly valuable. Financial data, of course. Some brand information might be valuable. The things that we take for granted, the things that we use every day and put on our business cards. In the hand of a criminal that's money and businesses need to change the way that they think about it to take the criminals into account because the criminals are using whatever resources are at their disposal, which is most often — this makes sense but we have to stop and think about it — most often what the criminals have is the kind of information that's caught up in a data breach.

What kind of information is in a data breach? Account information, credentials, and contact details. They're going to work with what's available to them, and there's plenty of it.

Adamek: I'm Drew Adamek, senior editor with Financial Management magazine, and I've been talking with Emily Wilson, the vice-president of research for Terbium Labs, about finance and the dark web.

This was part one of our conversation. In part two, we talk about practical steps that companies and finance departments can take when their data shows up on the dark web.

Please check back wherever you get your FM podcast for part two of our conversation. Thank you for listening.