Protect Yourself from Dark Web Fraud
Not that long ago, the entire internet was considered an “underground” phenomenon, a place for hackers and computer geniuses to trade in their esoteric knowledge—sometimes for questionable ends. Then the web took off, your grandparents got on social media, and the internet became entirely mainstream, but the shadier elements of the online community never went away.
They just moved to the less-accessible corners of the internet known as the Dark Web, where fraudsters and other cybercriminals can find the information and resources that underpin their schemes. How does the Dark Web facilitate fraud, and what can merchants do to avoid being victimized?
Considering all the harm they do, it's easy to disparage fraudsters, but the idea that ecommerce fraudsters are basement-dwelling lowlifes is a myth. More often than not, online fraud is an organized and sophisticated operation, and the Dark Web provides fraudsters with a place to network, share advice and resources, and establish a marketplace for illegal services and stolen data.
In these online spaces that exist beyond the reach of the tech platforms and governments that might monitor and regulate them, fraudsters can hone their skills, collaborate, and learn how to take advantage of the latest trends and technologies—not unlike merchants and marketers on the “normal” web.
The very idea of the Dark Web can seem intimidating to merchants who prefer to stay on the right side of the law and would hesitate to leave any digital footprints in online spaces where stolen goods (and worse) are traded.
However, understanding what the Dark Web is really all about can help demystify it and put merchants in a better position to see how the activities that take place there feed directly into the credit card fraud and other attacks that impact their revenue and chargeback rate.
What is the Dark Web?
One thing that makes discussing the Dark Web challenging is that it doesn't really refer to anything specific or universally agreed-upon. There's no secret portal that takes you, Narnia-like, to a hidden shadow internet, there are simply parts of the web where it's harder to identify and track users who might be engaged in illegal activity.
In general, the Dark Web consists of private networks that run on existing internet communication protocols, but can only be accessed with special software or authorization requirements. The Tor network is a good example—it's hosted on the same internet everybody uses, but it's designed to provide total anonymity for its users.
The Dark Web often gets confused with the Deep Web, but they're not the same thing. In fact, the Dark Web is just a subset of the Deep Web, which refers to websites that are not indexed by search engines like Google. Sites on the Deep Web might be harder to find, but if you know their URLs you can access them from any web browser. If a site is part of the Dark Web, it implies that there are some actual barriers to accessibility.
Why is There So Much Stolen Data on the Dark Web?
Unfortunately, they are far outnumbered by people who want to engage in illegal activities for their own personal gain. On the Dark Web, these individuals can communicate freely with each other without revealing their identities to law enforcement agencies that might be observing.
This has resulted in the Dark Web becoming a hub for black market ecommerce activity, a place where one can purchase drugs, pirated software, and stolen data with Bitcoin and other anonymous cyber currencies. Payment card credentials, unique username and password combinations, and personal information of the sort used in identity theft have become especially valuable commodities.
Skilled hackers can breach websites to steal massive amounts of protected data, but using that data to launch further profitable fraud schemes takes a lot of work and doesn't involve the same skillset.
When hackers can sell purloined data on the Dark Web, they can make money off of their activities and let the dedicated financial fraudsters figure out how to extract cash out of stolen logins, credit cards, and identities.
What Can Merchants Do to Protect Themselves?
The proliferation of stolen card data on the Dark Web has fueled the rise in ecommerce fraud that merchants have been dealing with in recent years. The fact that EMV technology has made card-present fraud much more difficult has only added to the problem, as fraud detection in card-not-present environments remains challenging.
Buying stolen card numbers in bulk off of the Dark Web isn't a slam dunk for fraudsters, though. When data breaches are detected, banks and customers are notified, and compromised card numbers are frequently reported and shut down.
This means that while a fraudster might buy hundreds of stolen card numbers, only a few of them will actually work. To find these working cards, fraudsters resort to practices like card testing—attempting lots of small, hard-to-detect purchases until one of them goes through, thereby identifying a card that can be used for other, larger purchases.
Even once they find a working card, fraudsters still have to find a way to turn the purchased item into cash. This tends to involve purchasing products with a high resale value and getting them delivered to a location where the fraudster can pick them up.
Merchants can mitigate the dangers posed by Dark Web fraud by using anti-fraud tools that detect and block card testing, and by carefully monitoring for suspicious activity involving shipping addresses.
Any time a customer tries to change a shipping address after an order has been placed, that should be a red flag—especially if the address isn't located anywhere near their billing address or previous shipping addresses.
The Dark Web may conjure images of an impenetrable cybercriminal underworld, but the reality is more prosaic than that. While it does serve as a black market and an incubator for new scams and malware, merchants can lessen the threat posed by the Dark Web by implementing tools and best practices that screen out unauthorized credit card use and suspicious user behavior.