by Matt Tatham, manager of content insights and data analyst at Experian Consumer Services
Chances are that you’ve heard about criminals buying or selling stolen personal information on the dark web. That’s not news, but did you know that the items listed go far beyond credit cards or Social Security numbers?
In fact, your entire online identity can be bought for $1170 according to the Dark Web Market Price Index from Top10VPN, an independent VPN review site.
The research is based on tens of thousands of listings on three of the most popular dark web markets (Dream, Point and Wall Street Market). That research focused on dark web listings featuring stolen IDs, hacked accounts, and additional personal information and calculates the average sale prices in U.S. dollars.
Criminals buy and sell personal information, including online banking details, credit or debit card details on the dark web. You may have not known that they can also buy passports along with logins and passwords for email providers, mobile carriers, retail stores, social networks, ride sharing sites, streaming sites, stolen dating profiles, and even food delivery sites.
“While login credentials for various sites can seem harmless and have a generally low price point on the dark web, people shouldn’t underestimate their value to unlock very valuable consumer data,” said Brian Stack, vice president of engineering at Experian Consumer Services.
“Many consumers reuse the same logins and passwords across their accounts. Unfortunately, the dark web has many tools for sale that allow hackers to run countless variations of user ID and password combinations, so they can take a fairly benign email account and then unlock a consumer’s bank account.”
Also, these days the average person is managing 191 passwords, according to LastPass — which are a lot of accounts that hold a lot of personal information that can be used to form an online identity and, in turn, be hacked and sold.
Types of Personal Information on the Dark Web
The following is a breakdown of different types of personal information and what it’s worth to hackers:
- Personal Finance details, and credit cards in particular, are the most common listed items and the most valuable. A popular listing type in this category is known as “Fullz” meaning bundles of “full” identifying information that may be packaged with financial details or sold individually. This information included can include name, billing address, mother’s maiden name, Social Security number, and date of birth.
- Proof of Identity can be passport scans, utility bills and even selfies. Criminals can use this information in order to set up new financial accounts such as credit cards or personal loans.
- Online Shopping details tend to be cheaper because of the amount available to criminals, but the risk is still high for consumers. Criminals can use stored payment details to commit online shopping fraud by billing victims for expensive items only to ship them to a different address in order to sell them and keep the cash.
- Travel Information gives criminals the same access to stored payment information to book travel and charge victim’s accounts. Simon Migliano, head of research at Top10VPN.com, explains that there have been reports of hackers changing a travel host’s payment details, so they don’t get the money when someone stays with them. “Fraudsters also hijack accounts of highly-rated guests to book stays in premium properties and even burglarize the hosts.”
- Entertainment Login Information allows criminals to stream content for free. However, given the popularity of these services there is a limited ability for reusing the logins.
- Carriers/Cable Television Accounts can be used to send spam emails with phishing links while mobile phone accounts provide a lot of fraud opportunities, from identity theft to being used for bank account verification.
- Package Delivery scams involve using stolen online payment login information to buy merchandise under the victim’s name. Scammers send the packages to another address then pick up the parcels and resell the merchandise.
- Social Media Accounts offer up a large amount of personal data to help criminals get access to many different victim accounts and commit identity theft.
- Email Accounts that have been hacked number in the millions on the dark web. Getting access to a victim’s email account could just be one piece of a larger crime.
- Food Delivery Information can allow criminals to order food on someone else’s account so they don’t have to pay for it. Migliano reports that one food order of nearly $180 was racked up on a hacked account.
- Dating Profiles that have been hacked can be used for catfishing, says Migliano. Catfishing is when a scammer uses a fake identity to lure a victim into a relationship in order to take advantage of them. Additionally, online dating scams are another way that thieves can get money from victims — developing relationships with them and then eventually asking for money.
Just as in the regular economy, supply and demand has a role on the dark web markets. Prices for personal information can change, especially when a large-scale data breach happens — all you should really focus is making sure your information is not on the dark web.
How Can I Protect Myself From the Dark Web?
Even though data breaches are outside of your control, you can still make sure not to share any personal information across your accounts unnecessarily and maintain healthy password practices.
If you do learn your data is breached, change your passwords on any account using the same email address. Also, you should review all credit card statements each month to flag fraudulent charges immediately and get a new card number if needed.
Matt Tatham is the manager of content insights and data analyst at Experian Consumer Services, a division of Experian, the nation’s largest credit bureau. Since joining Experian in 2007, he has worked across multiple business units including the Decision Analytics and Marketing Services groups while as a member of the corporate communications department.