'I fought the Dark Web and the Dark Web won' Author documents dive into internet basement after ID theft

realclearinvestigations.com ^ | 2/3/2021 | John Wasick

[rktman]

Your “application for unemployment benefits has been approved,” stated the letter from the Illinois unemployment bureau a few weeks back. That was perplexing, since I never applied and wasn’t unemployed. So I immediately told my (part-time) employer and the state unemployment agency.

Turns out somebody had stolen my personal information – again. [Insert grimace emoji here.]

Since this was the third time I’d been a victim of identity theft and fraud, I was steamed and wanted to know how thieves kept getting my information and conducted their grifting. If I knew where they got my information, maybe I could change some of my online behavior or take better precautions. I spent a lot of time on the phone giving my state unemployment agency my details. They were so swamped, it took them weeks to get back to me after I left a voicemail reporting the fraud.

I realized I would have to take matters into my own hands. This led to a month-long odyssey that included interviews with security experts and law enforcement officials and some frightening insights about the modern thieves market called the dark web. It was also a dispiriting trek as I was reminded how helpless we can be in the face of global technology that makes life easier for both the law abiding and the criminal.

[El Cid]

Ping

[rktman]

Some one locally posted a picture yesterday of one of the nearby “community” mail boxes. It was wide open and you could see mail and packages just sitting there. I mean WTH? The carrier forgot to close it up after filling it? What should we expect for (?) $40.00/hr? I have no clue what the post office pays these days. Anyone? Bueller? Any PO workers on here?

[rktman]

Roger that. Thanks for the heads up.

[lastchance]

I always wondered what would happen if I slipped a few of our deposit slips into the pile supplied by the bank.

[lastchance]

I’d rather use my full name “Joe Biden.”

[palmer]

That looks like not much more than an ad for a password manager. The problem is that complex passwords don't help against most of the threats that they list on that site, namely websites and servers being hacked and passwords being intercepted as cleartext or stored in some encrypted form (instead of sallted hashes).

[ProtectOurFreedom]

So I read the entire RCI article and it basically says “You are screwed. There’s nothing you can do. And the problem is too difficult for the FBI to solve.”

[BiglyCommentary]

True about the pw’s but the real value if seeing if your email address showed up in any the major web site or corporate hacks for the last many years and that data was out being sold on the dark web. They give you the Db, what info was hacked.

[rktman]

Sorry, most fbi agents, the vast majority of whom are good guys (says pedo joe), are busy diligently working on investigating 45. 😯😴😴😴😴😴

[Pearls Before Swine]

I use the same password on all chat boards, and hackers probably know it.

Me too, but for NOTHING else.

[BipolarBob]

My place is so run down and trashy a tornado came by and did $15,000 worth of improvement which got my taxes raised.

[KarlInOhio]

My place is so run down and trashy a tornado came by and did $15,000 worth of improvement which got my taxes raised.

I had a couple of Bengals tickets on my dashboard and someone broke a window and left two more.

[palmer]

Yeah, that seems to be valuable. I typed some old defunct passwords and they showed up on some sites that I never registered at. It seems that the email and passwords were hacked somewhere else (where I did register) and then transfered somehow.

I also tried a number of made-up emails and they were not found. I tried plausible and implausible with the same result. So the lookup seems to be legit, but I don't know how my old email address ended up in so many places.

[palmer]

I meant to say I tried old defunct emails (not passwords).

[The Louiswu]

“It’s clear where the world is going. We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the Internet. Think about what it will mean for the world when those devices are the subject of attack.”
― Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

[BiglyCommentary]

old defunct passwords and they showed up on some sites that I never registered at.

But if those are common/semi-common and others who used them too and were hacked, those pw's will show up. Improperly designed password generators that use the same default seed will dish out the same random scramble to all who use it. If you download one and it dishes out the same pw on two different phones/PC's, avoid.

[agatheringstorm]

How do you see what sites the passwords were used on? I don’t see that on the pwned site when I search on a password.

[Pollster1]

Good thing our financial folks were on the ball and called us both within a few minutes of each other to question pending purchases far away from our location.

I've had that call every few years. "Hello, we're calling about a recent charge on your credit card, last four digits _____. Did you purchase ______ online?" I find it interesting that they flag out of character purchases and impressive that they don't seem to have missed even one. A hacker who ordered ammo using my credit card could get what he wanted delivered. The stuff they buy? Nope. Red flag.

[fuzzylogic]

My video streaming service was hacked, my settings got changed, including the nationality of text (to German).

I changed the password and reset the settings. That lasted a couple of days, then the hacker got back in. How? I made sure when I changed my password that everything was secure (I’m a software engineer). I changed it again but with same result.

It only stopped after I change the account email address. Huh. It was as though this person had a means of attaining a password to a specific account via knowing the email address. I could only put it down to an inside job or the service provider has a backend that has severe security holes.

Few people I know have tried going on the dark web. I have, just to know. You quickly realize this is a pedo’s heaven. Just do a search on “short stories” - all sick. Knowing there’s people out there that relish in consuming this is highly disturbing, it’s certainly part of the world you do not see. Other aspects were illegal drugs and “dirty deeds”. There’s really only bad reasons to go in there. Most would be shocked.

[BobL]

Here are a few of my security steps. So far, so good:

1) Minimize use of Social Security Numbers. Other than a few cases (banks, IRS, job applications, credit applications, DMV) they’re really not needed. For example, it never hurts to ‘make a small mistake’ when putting down an SS number in a doctor’s office, as they’re only used to track down deadbeats, so if you plan to pay, you’re fine.

2) Minimize credit card applications - the less you toss out your number, the better.

3) Go through old hard copies of things with an SS Number, like tax returns. Do you REALLY need to see your SS Number on your old tax returns? I went through them all with an Exacto Knife and cut them out, and then flushed them down the toilet. Same for any other document with that number...or than something original, like a birth certificate or marriage license. No need to have that number everywhere.

4) Enable hard drive encryption on your computer. For Windows it costs $99 ,one time, and means that whoever is trying to read it needs your password (called Bit Locker, and is part of Windows - you just need to pay to enable it). Otherwise no dice. Works with portable drives too (thumb, SD, Hard Drives, etc.). Everything that I have with data is encrypted and no, they won’t get in, even with possession of my computer.

Lots more stuff too.