Or: Why you shouldn’t use Experian/LifeLock Dark Web Monitoring
You know “the web”. This is what you and your friends visit, link to, and find in search engines.
The “dark web” is pretty much everything else.
While most associate the dark web with being the “evil” places on the Internet, that’s simply not true. It’s a branding thing – use words like dark or black and suddenly people think “evil.” The vast majority of the dark web really is just the rest of the Internet that you’ve never seen or heard of, or which doesn’t show Google/Meta ads or push their approved narratives, so search engines don’t index them. Bob’s Antique Shoe Repair, that tiny diner that just has a picture of their menu on their website, and the pages on a poorly designed website that just aren’t linked to effectively from anything else. These all end up being invisible to the typical person because the Internet is just so insanely massive.
Don’t get me wrong, there are evil parts of the dark web, as there are of the web you know already. Facebook has actively been supporting child porn on their platform. So has Google. As well as racism, intolerance, murder, porn, trafficking, and more. That last one is a joke, but it also really demonstrates the ridiculousness of allowing a social media site like Facebook that allows all of this evil to remain in control the approved narratives for everyone else.
Anyway…this isn’t about that. What we need to talk about today is whether the “dark web” fear tactics from Experian and other credit reporting agencies, as well as exclusively-profit-driven Norton LifeLock and other “dark-web monitoring” services, are actually doing you a favor by warning you about the appearance of information “found” on the dark web.
No. No, you don’t need to worry. As long as you’re using new, strong, unique passwords for every single website and service you don’t have anything more to worry about just because one site or another was hacked and your data is now in one more place.
I briefly covered part of this in the Dictionary Attacks & Targeted Dictionary Attacks sections of the recent Password Advice article: There are literally billions of hacked accounts reported every single month. HIBP covers only a tiny fraction of them – less than 3%. If HIBP hasn’t found it then there’s very little chance Experian will. Experian telling you the same thing that’s been reported in dozens of MSM stories and news articles shouldn’t really surprise you. What would surprise me was if they found anything new.
It is impossible to stress just how significant unique passwords are. Invest your time and mental focus on creating unique passwords instead of worrying about the dark web.
For the rest of this article I chiefly name Experian, but it would be safe to mentally replace it with any of these other “dark-web monitoring” companies and the advice still applies. Experian is just a perfect demonstration of why you don’t feed these gremlins.
The impetus of this particular article is a friend who was concerned about Experian reporting that her information was “recently” exposed in an AT&T data leak. This data leak, which AT&T vehemently denied for weeks (years, actually) before finally acknowledging it on March 30th, 2024, contains 73 million customers’ information, and was added to the Experian “dark web” reports on April 26th, 2024. Experian waited almost a month to even acknowledge the data that had been available to anyone for months prior, that AT&T knew about for months, and that had actually been compromised five years ago and had been available on the dark web, linked to on many security forums, three years ago.
Okay, so they’re slow, that doesn’t mean it isn’t important.
That’s true. It does, however, strongly suggest that they’re not pulling their weight. You see, the dark web monitoring is one of their paid services and it took them literally months to find information that was being publicly disclosed on many popular technology websites, years after it was posted on the popular dark web info-trading sites. Do you really think they’re capable of finding information in time to make any difference?
More importantly, is there any information about you that knowing that it were leaked or compromised would make that much of a difference to your daily life? Your bank account or financial information, maybe your passwords (especially if you reuse passwords)…anything else? Checking your credit a few times per year or being alerted months after something got out isn’t going to help. Monitor your bank, financial, and investment accounts rigorously. Check them at least once per month since most institutions rely on fraud policies that can not reverse transactions after 60 days. If you’re not checking your statements then if you have a problem anything that Experian or LifeLock told you would be too late to do anything about it anyway.
There are other concerns, though.
It’s not merely that Experian is ineffective. These services actually increase your risk.
Sites and services that collect sensitive information are prime targets. That is, Experian is more likely to be a target than Betty’s Knitting Hub. A relatively minor hack on Experian (or LifeLock) could result in major data access. Even a single customer record could enable an attacker to abuse someone’s entire identity. Experian is no stranger to this. At all.
The sensitive information I’m most concerned about isn’t your credit report data or your name, date of birth, or SSN. All of which can be obtained in seconds with a background check – cheap. No, what I’m concerned with is all the data that you are required to populate into the “my private information” form on the Experian (or LifeLock) website so they know what to look for on the dark web. Stuff like your email addresses, phone numbers, user names, bank account numbers, credit card numbers, passwords, investment account details…you know, all the things an actual hacker would consider a wonderful treasure trove. This “feature” isn’t the same thing as adding your personal information to a credit report, as credit reports are actually limited in what they store and share, and for good reasons. The “monitoring” feature is wholly different because it literally creates a singular repository of information that would make it extremely easy for an attacker that gained access to that one page a lottery-winning-level of access to your information.
Question: If you give this information to Experian and Experian gets hacked and your data gets leaked as a result, what do you think the resolution is going to be? Maybe a couple years of “free” service from the same company that got hacked in the first place?
Yes. They were hacked. A lot. A whole lot. And that’s when they weren’t just flat-out selling your information.
Experian and Norton LifeLock have been hacked before. Lots. However, if you populate these forms it wouldn’t even require the attacker to necessarily even hack Experian or LifeLock. All they need to do is gain access to that one online account (at Experian or LifeLock) and suddenly they have access to this huge treasure trove of information. Using a good password is an absolute necessity, especially in cases like this, but their account validation system has proven to be quite defective in the past so I wouldn’t trust it with any other information.
DO NOT give these data brokers any more information than they’re already going to sell or allow to be hacked. The benefit, even if there were any, is far outweighed by the massive additional risk.
Instead of using these ineffective and oft malicious services, just use new, strong, unique passwords on each site and take a few minutes each month to look at your statements.
Regards,
Shawn K. Hall