In part two of this conversation with Emily Wilson, vice-president of research at Terbium Labs, we return to our conversation about how the dark web amplifies fraud risk for finance departments. In this episode, we explore what to do if you discover your data on the dark web, how to mitigate the damage of a data breach, and what the future of the dark web holds for finance departments. If you haven’t already, please listen to part one of this conversation first.
What you’ll learn from this episode:
- How the dark web is evolving and what the future of the dark web looks like.
- What finance departments should do if they find their data on the dark web.
- How to monitor your fraud risk on the dark web.
- What law enforcement is doing to crack down on illicit activity on the dark web.
Play the episode below:
To comment on this podcast or to suggest an idea for another podcast, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.
Drew Adamek: Hello, and welcome to the Financial Management magazine podcast. I'm FM senior editor Drew Adamek, and today I return to my conversation with Emily Wilson, vice president of research with Terbium Labs about finance and the dark web.
In part one we talked about the structure of the dark web and how fraudsters use it to exploit your data. Today we're talking about what finance departments can do when they discover their data on the dark web, how to mitigate the risk of data breaches, and the future of the dark web.
If you missed the first part of our conversation, I encourage you to find part one wherever you find FM podcasts. I now return to my conversation with Emily.
How does understanding the nature of the dark web help places like finance departments prevent or protect against data breaches?
Emily Wilson: There's a lot of myth and misconception around the dark web, and there's a lot of fear there. And there are a lot of companies who rely on that fear for marketing. It's the security equivalent of telling people that there are people who are going to break into their houses and you need to buy these burglar alarms because very bad things could happen, but you never actually stop to tell them they can also put locks on their doors and they can close their windows.
There are lot of things that we should be concerned about on the dark web. There are a lot of criminal communities, a lot of data floating around, a lot of organisational risks we need to take into account. We don't have to be afraid of it. We can be concerned without being afraid.
Understanding how the dark web actually works strips away one of the biggest things that criminals have going for them, which is confusion, which is aversion to looking something new and different in the face. We don't like it. It makes us uncomfortable. They love that. They want us to be unsure. They don't want us to understand all of the cards they're playing with. They want businesses to be more focused on who's forging checks than who has access to hundreds of thousands of payment cards.
Once we understand the fraud economy, we understand the resources they're playing with, we understand the playbooks they're working off of, we understand how they're learning from each other, how they're reacting to what's happening in the traditional economy, the legitimate economy — once we understand what this looks like in practice and that it's actually something more like eBay but for fraud, as opposed to scary chat rooms full of nation-state actors who are whispering in code then businesses can start to do something about it. They can start to say, "Oh, I see. I can build a model with this. I can understand these risks. This is the box it fits into. This is how they could be harming us. This is how they might approach the problem."
Once you have all those pieces in place, businesses have a real leg up, especially if they understand what data specifically fraudsters are dealing with and what specific avenues they could have into a business. It changes the calculus entirely. And so many businesses are worried about so many other things, you know, criminals love it. They want them to stay distracted; they want them to focus on something else.
Adamek: You describe companies who understand the dark web being able to start to deal with it. Once they've gained that understanding, what should they be investing in in order to capitalise on it?
Wilson: Once companies begin to recognise that the dark web is potentially full of information that could be significantly increasing the type of operational risks that they face. The next thing is to ask yourself — again, we're shifting the question here from "Has my information been exposed?" to "What information has been exposed, and where has it been exposed? What does it mean for me if that information has been exposed?"
And so there are sort of two pieces there you need to have. One, you need to be able to track that data. That's something that we work on at Terbium Labs. We track that data for our customers. We monitor and track where their information is showing up on these criminal communities because if you're just working off of hypotheticals — we know some credentials may have been exposed, we know some contact details may have been exposed — that's not going to get you close enough to actual being able to work the problem.
And then there's understanding what it means in context. What do you do if this kind of information is exposed? What combination of variables put you at an increased risk for business email compromise — something very targeted versus phishing, versus potentially a physical security issue, depending on what sort of organisation you work with, depending on what sort of profile your board members or your executives have. We're talking about physical security here in some cases too.
So tracking that information and working with a partner is something that we try to do at Terbium Labs to help people understand what it actually means that your information has been exposed and then how is it changing over time?
A single point in time measure is useful, but it's not actually helpful in the long run. How do you know how bad it is unless you know how bad it's been? How do you know if it's getting better or getting worse or if you need to react to it differently if you don't have a benchmark, if you're not tracking something consistently, if you aren't able to track and identify trends?
So I would say think about this the same way that you think about other risk factors that you take into account in your organisation. You're not going to go get one data point and then say, "OK, great. Now we understand it entirely." It takes time to track. It takes time to figure out, "How am I doing compared to the rest of my industry? Is this a problem or is this what I should expect? Is it normal for an organisation like mine to have a hundred credentials exposed in a month? A thousand? Is it a spike from last month? What kind of activity can I expect over a given year?"
As fraud professionals we know fraud can be cyclical: You have fraud around the holidays, you have a big spike in tax fraud around tax season, and you have to gather data over the long term to understand what you're actually looking at.
That's what I see for mature organisations, who are really looking at data as a commodity, data as a point of risk in their organisation. They're tracking what information shows up, they're tracking what it means, and they're tracking how it changes.
When you strip it all away, yes, there's technology. Yes, there might be terms people don't understand or aren't familiar with yet, but this is fraud. This is crime. These are things we understand. The criminals are just more well-resourced than we could imagine. And so if we could have that shared understanding of what they actually have to work with and how they're actually operating and how they're getting access to some of this information, then when we see the headline, when we get the incident report, when we have a meeting to talk about what sort of risks we need to consider in our planning for next year or next quarter we can say, "This is something I need to take into account."
And for me being able to prompt that critical thought, being able to help people arrive at these updated conclusions, that's the most important thing. You don't have to be an expert in it. It's not a good use of most fraud professionals’ time to be an expert in this or to spend time on the dark web. Just understand the risks that you're up against and this needs to be one of them that you think about.
Adamek: How much of the dark web is law enforcement?
Wilson: It's a difficult think to quantify. So I will simply say this. If anyone on the dark web starts asking too earnest of a question or too direct of a question the answer is always something like "Spot the fed."
Criminals know. Because law enforcement is absolutely on the dark web. Federal, state, international, local law enforcement in some cases, and law enforcement is doing an incredible job.
Some of the takedowns we've seen recently have just been masterfully executed, and they deserve credit for that. But criminals know that law enforcement is on the dark web. They know that researchers like me are on the dark web. And they act brazenly but not too brazenly, right? You're not going to say, "Hey, I live in this city in this state. There's this old book depository downtown they're getting ready to tear down. Do you think that would be a good place for my drug drop?" Because there's a certain amount of operational security — op-sec — people know to operate with.
But law enforcement is certainly on the dark web. The criminals outnumber them I would say significantly, but law enforcement does have a presence and they're doing a great job.
Adamek: From your view what does the future of the dark web look like and the future of the fraud economy and how businesses are going to be relating to it?
Wilson: I think of the dark web as a case study for the future of fraud. Because what we see here is a criminal community that has the power of the internet at its disposal. Perhaps it's the natural and unavoidable evolution of digital fraud — of cybercrime.
There's a blurred line now if there ever was a line between traditional fraud and cyber-enabled fraud. The same way that every business is now unavoidably a tech company — everyone relies on technology in order to do what they need to do — we see fraud moving the same way.
As more transactions become digital, as identity itself becomes digitised what does that mean for fraud? How does that change the way that we think about personal information? What is personal data?
Before we might have thought of it as identification or family history. We might have thought of it as the numbers that we associate with a government ID. What about our image? What about physical data? What about biometrics? What about our preference data? What about our internet activity? How much of this is personal information? Especially since criminals aren't the only ones who are collecting as much data as they can. We have a data economy in the legitimate economy.
We have social media, with marketing, with political parties. Data is a commodity, and everyone is pulling in as much as they can because your new differentiator is how much data do I have compared to my competitors? Data is power in that sense.
I see the future of fraud through the future of the dark web moving in tandem, which is to say that there's going to be a surge in privacy and security. We're going to see people begin to react to some of these surveillance tactics, frankly, and look for more private and secure options.
We're going to see people want to be able to do more faster, better, with less friction. I hate the word friction — I hate this concept that we need to create a frictionless experience because as a professional my instinct is, absolutely, put in the two-factor authentication, put in something that's going to slow everyone down and make everyone safer, but then the first time that my dad can't figure out how to get into his email, you know, I have to change the way I think about it.
So I think we're going to see the dark web continue to develop and respond to the changes we see in technology. The same way — one concrete example of this is the way that criminals changed the way they went after credit card fraud in response to EMV adoption in the US. When we brought chip to credit cards in the US, criminals had a harder time going and committing fraud in person so they said, "That's fine. I'll do it online. That's great. I'll just change the way I think about fraud."
Similarly, I think when we see faster payments, when we see – there's an ongoing discussion about have we reached the end of the password. How do we change the way we think about some of the government identifiers that we rely on? You know, is this the end of the US's Social Security number? Criminals are going to respond to that.
They're going to exploit the old system as it is sun-setting and they're going to use whatever new system as a beta test for the new schemes they're going to develop.
The dark web is one example of that. We have now a lot of data. You know, you go into these criminal communities and you see what they respond to. You see how they change their behaviour. You see what new tactics they're developing. They're going to keep doing that. This is one place where we can observe that and try and see if we can get ahead of some of these trends.
Adamek: Emily, thank you so much for joining us.
Wilson: Thank you for having me.
Adamek: I'm Drew Adamek, senior editor with FM magazine, and I've been speaking with Emily Wilson, vice president of research for Terbium Labs, about finance and the dark web. Thank you for listening.