Dark Web Monitoring (DWM) involves a paid service which tells you whether your personal information has been leaked.
Hackers routinely target larger companies in an attempt to collect vast quantities of data. If they capture a list of usernames, emails, addresses, and possibly SSNs and credit card numbers – they can sell that information to someone else who may use it. They’ll need to sell it out of public view i.e. the Dark Web as an illegal data broker.
“Hey, what if we told people their name was on this list? We could charge them for that info!”
In terms of Dark Web Monitoring, it probably started like this: At some point, some sales/marketing exec saw one of these data leak lists and said “Hey, what if we told people their name was on this list? We could charge them for that info!”
Ninety-nine percent (99%) of the time, Dark Web Monitoring is a waste but there are some target markets that it may be useful.
When is it a good idea?
• √ You are a $100MM+ company and are looking for early signs or ransomware or extortion (or $25MM+ if in a high risk industry)
• √ You are a Gov’t contractor using risky vendors and you need to identify compromised third party vendors to reduce your supply chain risk.
• √ You are a $500MM+ organization worried about your brand and will have a very customized DWM service looking for usage of lookalike domains (cooompany.com vs company.com)
“If your organization has this kind of budget, you should absolutely use DWM.”
In all of these cases your organization has an actionable response plan in case there is notice of a leak. If your organization has this kind of budget, you should absolutely use DWM.
For the rest of us, the only other reason to really consider it is if your cyber insurance policy requires it, and you’d already know if you are in this category. There are no standards in cyber insurance and in fact the insurance agent may just want to sell you their DWM.
What about the rest of us?
So let’s discuss why DWM isn’t worth it for the rest of us.
You can’t unsteal it. If you get an alert that your phone number of email was used, there is little recourse. Most of us are not willing to change your phone number and email every few months so it may be one of those things we need to accept like death and taxes.
Many alerts contain old data. You could be alerted to a new data dump online. That could simply be old and rehashed data some teenager has posted online. These would be considered a false positive.
False Assurance. What if you don’t get any alerts? Are you in the clear? Unlikely. Just because a DWM service didn’t find a handoff on a private Discord channel doesn’t mean you’re exposed. In fact, having no alerts is almost worse than getting an occasional one.
Alerts don’t prevent fraud. In a theoretical world, you’d get a DWM alert that a password was stolen from BigStore.com. If you’re also using that password for BigBank.com then you would change your password for BigBank. You think: “Phew! Tragedy averted! Now nobody can get into your bank account.” There are too many problems to illustrate with that theoretical situation, but lets just simplify it and make sure you never reuse passwords for the most important services (financial, email, apple/google/microsoft). Beyond that we’re in a MFA and post-MFA world so at this point we should just assume our passwords are public knowledge.
Other things to consider with DWM
DWM is a target. Dark Web Monitoring services are a prime target for hackers. These companies store your sensitive information and are therefore a high value target. . If a DWM provider is breached, all of their customer data would be compromised in a single attack.
DWM may require sensitive information. Some services require submitting full credit card and banking details to detailed monitoring. Many people prefer to reduce how many services have access to their sensitive information so the trade off is work evaluating.
DWM may already be free. Some credit card companies, email providers, and banks may already offer this service. Paid versions of DWM offer little value over these free alternatives.
DWM is not worth using if:
• You think it will prevent identity theft
• You are already using credit freezes, strong unique passwords everywhere, and using MFA or MFA+
• You learned about it because a vendor wants to sell it to you
• You are a consumer looking for protection that goes beyond identity theft monitoring.
Scott Morabito is a technologist and founder of TechTonic. He is a computer scientist and resides in Concord MA
Other recent posts
