Is your information being sold on the dark web?

A photograph of a bank of yellow flatbed trolleys, with a DIY store in the background. A "Spotlight on InfoSec" badge sits in the middle

For financial professionals only

This is our latest article in a series putting the spotlight on Information Security. Here, Sarah Coles explains how criminals can purchase your personal details on the dark web, and how to stay protected.

The UK financial sector holds vast amounts of personal data, making it a huge target for cyber criminals.

Security experts are warning the UK’s leading FTSE 100 companies of increased cyber-attack risks, after finding over 30,000 username and passwords belonging to these firms on the dark web [1].  Originally used by government agencies to exchange information in secret, sites on the dark web won’t appear using search engines, so it’s not visible to most of us. It’s now often used for illegal activity, like buying and selling account credentials.

What are you worth on the dark web?

Researchers found that just £900 is enough for a criminal to gain full access to a target’s account details, including credit cards, online banking login, Facebook accounts, and PayPal accounts, as well as create fake IDs such as passports and drivers’ licenses [2].

UK hacked credit cards details with CVVs (the 3 or 4 digit number typically near the signature strip), are sold for an average of £16. Online banking logins cost just over £28 while forged utility bill templates go for £20 [2].

A recent Which investigation also found fraudsters advertising stolen data on consumers of big brands, including Tesco, McDonalds and Deliveroo for as little as £5 [3].

If you’ve had an account with these brands, your information is probably available on the dark web today. And because we still reuse passwords, that £5 Deliveroo password could be the key to other online services with more confidential information, such as your banking, financial platforms, or email accounts.

Many people just don’t realise the number of digital services linked to their email address. If an attacker gains control of your emails, they can access other linked accounts by requesting password resets. This could be really damaging if they get onto your financial platform containing you and your clients’ information.

How does information end up on the dark web?

  • Data breaches – when a company experiences a data breach, their consumer data is stolen. If you have an account or information saved with them, you should change your passwords immediately.
  • Compromised devices – if your device is infected with malicious software, your information can be sent back to attackers without your knowledge. You should always apply security updates when prompted and run regular anti-virus scans to check for malware.
  • Weak public Wi-Fi networks – if a Wi-Fi network is free, or the password is easy to guess, attackers can intercept connections and access your data. If you absolutely must use public WiFi, always use a Virtual Private Network (VPN).
  • Untrustworthy websites – if a website address starts with HTTP instead of HTTPS, it’s an unencrypted website where hackers can intercept your information, and sell it on later. Always check websites are using HTTPS. The “S” means it’s more secure and makes it much harder for hackers to steal your information.

Check if your information is being sold online today

Visit https://haveibeenpwned.com/ and check all your emails and phone numbers. You can also be notified when future data breaches occur and your account is compromised, so you can act quickly to change your passwords.

6 must-dos if your information is found on the dark web

  1. Change your password for all the accounts – a cybercriminal doesn’t need a password for every person in your company to break in – one could be enough to gain access and move deeper into your network for sensitive data or other valuable assets.
  2. Change the security questions on your accounts – if this information has been compromised, it could be used to regain access to your account, even after you’ve changed the password.
  3. Use a password manager – this helps you avoid reusing the same password, especially between low and high-risk accounts and personal and business accounts.
  4. Contact your bank or lender – ask them to reissue a new account or card, and set up fraud alerts.
  5. Add multi-factor authentication – this prevents account take-over attacks by adding an additional layer of protection.
  6. Report stolen driver’s license or passports.

[1] https://www.infosecurity-magazine.com/news/researchers-31000-ftse-100-logins/

[2] https://www.privacyaffairs.com/dark-web-price-index-2022/

[3] https://www.which.co.uk/news/article/data-breaches-passwords-for-sale-azGid0x1l0li

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.