- The Dark Web is being successfully utilized more and more by fraudsters
- Email addresses can be harvested via legitimate web sites
- Google has responded with new security features
In earlier posts we've mentioned the Dark Web and how it's becoming a more and more accessible "market" for fraudsters -- and a danger to unwitting visitors to scam websites.
Personal information like email addresses can find its way onto the dark web as a result of data breaches at services and platforms you may be signed up for. This information can then be sold and used by cybercriminals in a variety of ways, including identity theft, banking fraud, and phishing scams.
In other words, even careful users of the internet can have their email addresses appropriated by bad actors as a result of data breaches at perfectly legit services and platforms they've signed up for -- and that information can then be sold and used for identity theft, bank fraud, and phishing scams.
Email Address Matter In Banking
When email addresses and credentials are sold on the dark web, there is a real danger for banks and their customers. Many banks deploy a multi-step authentication process which makes it more difficult for fraudsters to gain access to an account.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
2FA is implemented to better protect both a user's credentials and the resources the user can access. Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode. Two-factor authentication methods rely on a user providing a password as the first factor and a second, different factor -- usually either a security token or a biometric factor, such as a fingerprint or facial scan.
Many banks utilize a 2FA process where a randomly generated numeric code is sent either via text message, phone call, or email to the account holder to approve the sign in -- which cuts the threat of account takeovers (ATOs).
Additionally, for approval of a suspicious single transaction, banks will send an alert via text message, phone call, or email to the account holder which requires a single action to approve the transaction but does not give access to the account.
Without an effective barrier, a fraudster has the ability to transfer funds to a drop account, or approve a transaction -- including fraudulent checks.
Gmail Monitoring the Dark Web
As reported on The Verge, Google has introduced a new security feature to inform you if your email address has been published on the dark web.
The search giant announced plans to roll out a handful of new security features designed to better protect those using Google products and services, including spam protections for Google Drive and improved search history deletion in Maps.
The company is expanding its “dark web report” feature to all Gmail accounts in the US over the coming weeks, which scans to check if your Gmail address is appearing on the dark web and advises on steps that users can take to bolster their online security. The password manager built into the Chrome browser already does a fairly good job of nagging you to keep your data protected, but this goes a step further.
Additionally, the new Google tools help users quickly and easily "tag" suspicious email to avoid trouble down the road.
The spam protections typically found in Gmail are now being expanded to Google Drive, with a new view rolling out that’s designed to help users control what they want to designate as spam. Drive will automatically classify obvious offenders into the spam view to prevent users from accidentally accessing any “unwanted or abusive content,” and Google claims that the new view makes separating and reviewing files much easier.
Evaluating the Dark Web Threat
As we've noted, the dark web is the major marketplace for stolen credentials AND where stolen checks ultimately land after criminals rob mail carriers and mailboxes. While banks are making the shift towards deploying new AI and machine learning technologies to detect fraudulent transactions such as counterfeit, forged, and altered checks, more is needed to disrupt the fraud ecosystem.
Q6Cyber’s Eli Dominitz, CEO, and Maria Noriega, Manager, noted that utilizing a monitoring service to scan the dark web will allow banks to preemptively take action before fraud can be committed.
In the fight against fraud, there is no reason not to deploy multiple technologies and solutions that complement each other, creating a full-scope fraud defense.