INDIANAPOLIS — In today’s world of cyberattacks and data breaches, Hoosiers face the ever-increasing risk of having their personal information stolen, bought and sold on the “dark web.”
So far this year, more than 900 data breaches have been reported to the Indiana Attorney General’s office. Victims of cyberattacks include a wide range of hospitals and medical offices, schools and universities and various organizations, in addition to individuals.
So, could your personal information be leaked onto the dark web without you knowing it?
“Probably yes,” said Indiana University Cybersecurity Program Director, Scott Shackelford. “Yes is unfortunately the simple answer.”
Most of use deal with a very small portion of the internet called the “surface web,” easily accessible through common web browsers like Google Chrome and Safari. The “deep web” and “dark web” make up the vast majority of the internet. And it’s not all bad.
The “deep web” is where you go when you enter your password to access your online bank site or email account. Others can’t access the same information beyond the password security barrier.
It’s the “dark web” where criminals are known to buy and sell stolen information like commodities.
“And there are some websites that are available out there to help you get a sense for how many times your accounts have already been compromised,” Shackelford said.
As a first step, Shackelford recommends a website called Have I Been Pwned.
“Just put in your email address and it shows how many times that email account has shown up in breaches and how many times it’s appeared for example on the dark web,” Shackelford said.
“When you first log in, it says for example 25 times this information has appeared in breaches and that can prompt you to be a little more proactive and change those passwords,” Shackelford added.
To begin the process of finding what specific information you have floating around on the dark web, you can try your own search. However, you can’t get to the dark web with a standard web browser. You’ll need to download a browser called Tor.
“Unlike ‘dot com’ for example, all these end in ‘dot onion’ because it’s a different type of protocol to get you there,” Shackelford said.
The ‘dot onion’ protocol was originally developed by the U.S. Navy to help dissident groups avoid detection and surveillance while operating online. ‘Dot onion’ gets its name from its design, like the multiple layers of an onion. Those layers of security can bounce a computer’s signal around to make it difficult to track. That’s why criminals use it.
However, Shackelford says ‘dot onion’ searches may not be for everyone.
“You don’t actually go to web domains like ‘criminal-dot-onion’ something like that,” he said. “They’re all anonymized, so they’re all just strings of numbers and letters, so it’s actually quite tough to find a lot of these.”
“It’s pretty clunky,” he added. “The results aren’t always totally accurate. So it can take a little big of sleuthing to really figure out what’s there.”
Dealing with the dark web also comes with a caution.
“You’ve got to be really careful when you’re tooling around on the deep web, and the dark web in particular,” Shackelford said. “There’s a lot of information that’s useful there. But there’s also a lot that frankly can be harmful.”
If you’re willing to pay somewhere between $9 and $20 a month, you can subscribe to identity protection services that include deep web searches for your information.
“Any type of identity theft tracker like that can be useful, and most of them incorporate this type of deep web or dark web scanning as part of it,” Shackelford said. “Even Experian, some of these big credit monitoring bureaus also have a checkered history, but they do this deep web scanning as part of the overall package that they put together for folks for basically identity theft protection.”
Unfortunately, once your information is on the dark web, there’s not a lot you can do to scrub it.
“The internet is written in ink,” Shackelford said. “So when this data is out there, it’s out there.”
There are steps you can take to minimize the damage after a data breach. Shackelford recommends changing all your online passwords, utilizing password managers like LastPass and Keychain and activating two-factor authentication on websites you log into.
“Assume that you’re already compromised,” he advised. “And then put in place the best safeguards and practices to be able to recover as quickly and fully as possible.”