The dark web is after your data. Here’s what you need to know

Once upon a time, bandits and thieves wielded masks and ransom notes to steal people’s hard-earned money. Today, things look a bit different. Just as many of our financial transactions and banking activities have moved online, so have the more sophisticated forms of theft. When it comes to financial crime, the “dark web” — the encrypted, underground network of websites that exists beneath the “surface web” — is a veritable playground for fraudsters. 

“Nowadays, if you want to cheat a bank, you don’t need to fake your salary statement,” explains Carsten Helm, Director of Anti-Financial Crime at N26. “You head to the dark web for a counterfeit one. Or even better, you try to buy an account there.”

But what is the dark web, anyway? How might a criminal try to use it to potentially steal your money, and what are companies like N26 doing to fight back? Let’s take a deeper look at the dark web and review a few tips on what you can do to keep your money and your identity safe. 

You might not know this, but the internet that most of us use in our daily lives is referred to as the “surface web” or “surface net.” This is the part of the web that’s public and accessible by anyone with an internet connection and a search engine like Google. 

But the surface web represents a mere 10% of the entire internet. The rest is contained within something known as the “deep web,” which isn’t accessible to the crawlers that index websites and allow them to appear in search engines. The deep web isn’t a nefarious place, per se. There’s a good reason why much of your online information — your bank-account information, passwords, and other sensitive personal data — should not be crawlable by search-engine bots.

The “dark web” is a subsection of the deep web. What does this mean, exactly? It’s an encrypted, underground network of websites that are hidden from the general public and accessible only through browsing software such as Tor, which aims to ensure anonymity. 

Because you can browse the dark web anonymously through a path of encrypted servers, it has become a hub for illegal activity, including stolen data. This stolen data, which may include passwords and sensitive account information, can be used for all sorts of nefarious purposes. 

Because the dark web is a kind of black box, it can be a hotspot for cyber thieves. In Helm’s experience, criminals on the dark web tend to be strongly connected and incredibly well-organized.

“These days,” he says, “fraudsters almost always work in groups, each specializing in different kinds of fraudulent activities.”

These fraudsters congregate on forums where they buy and sell stolen data and swap tricks of the (financial crime) trade. One could find any number of panic-inducing items on the shelves of these digital marketplaces. Financial information, such as stolen credit-card numbers and bank-account details? Yep, that’s there. Personal data, such as home addresses, birthdays, private email addresses, and Social Security numbers? Also there. Even one of these data points may be enough for a skilled fraudster to wreak havoc.

“Account takeover often happens because people lose [information] used to identify them,” says Olaf Hofmann, Director of Product for N26’s FinCrime Prevention, Identity, and Authentications team. Losing one piece of personal data doesn’t mean you’re completely exposed, he adds, but it can be more damaging than you’d think.

Say, for example, a fraudster gets access to your private email address and login details. They could potentially discover that you use your email address with your bank, then contact your bank via your email in an attempt to extract even more data. “Fraudsters try to get information that takes them one step further,” explains Hofmann. “All the way through to the point where they can impersonate you in a digital form.”

Security at N26

At N26, security is our priority. Discover a 100% mobile banking experience

Learn more about security at N26

Once they have a piece of valuable data, criminals can either use it themselves or sell it on one of the dark web’s marketplaces. Personal and account data are often sold in packages, which may include anything from a credit-card number to a customer’s full financial profile. 

As soon as a criminal has access to someone’s account or card details, they can cause immeasurable damage. They can make purchases or transfers in another person’s name, or use phishing tactics and attempt to infect their target’s devices with malware or ransomware to harvest more data. 

Alternatively, they may turn to bribery, demanding a ransom for the stolen data. In the worst cases, they can even use the information they’ve gathered to steal someone’s identity, open an account in that name, launder money, or attempt an account takeover.

But how do fraudsters access data in the first place? In general, there are four main ways that financial or personal details get exposed:

• Phishing. This type of social engineering involves fraudsters posing as a trusted entity or person to con victims into giving them sensitive information. 
• Malware. Malware is malicious software downloaded by a victim via a suspicious link or “scam page.” Once malware has been downloaded, it will search your computer for sensitive data like passwords and bank details, or track when you enter information online. 
• Skimming. Here, fraudsters mount a device to a card reader at a store or an ATM. These devices scan or photograph a victim’s card details when they make a purchase or withdraw funds. 
• Data breaches. In a data breach, a company or website is hacked, exposing sensitive customer information such as email addresses and credit-card details. Sometimes, criminals unearth some personal information (e.g. an email address) and use it to “phish” for more data or attempt an account takeover. 

Of all the ways in which criminals exploit their victims, Hofmann and Helm agree that phishing and social engineering can be the most difficult for banks to combat. Why? Because these tactics exploit core human emotions like fear and empathy. 

“With these social-engineering schemes, amazing storytellers reach out and make you believe that something terrible has happened or is about to happen,” explains Hofmann. Their goal is to get you panicked enough that you aren’t thinking straight. In this state, you might agree to transfer money or share personal information, even against your better judgment. 

Panic can especially set in if the scheme impersonates a threat from an authority figure, Hofmann notes. His advice? Stay vigilant: “If you’re not aware of these things on a daily basis, it’s easy to fall into their trap.”

Financial crime on the dark web is a problem that extends across the banking industry. To fight back, banks now have dedicated teams for surveilling threats, optimizing products, and educating customers. At N26, for instance, security teams are dedicated to understanding and tracking fraud. They also constantly add new measures to prevent fraud from occurring in the first place. 

Take Hofmann and his team. They seek to prevent financial crime by sussing out the story that customer transactions tell.

“Our mission is to understand all customer behavior from a holistic point of view — the spending patterns that build a digital footprint,” says Hofmann. “As soon as something goes outside that footprint, we have an anomaly.” 

To ensure that no fraudulent transactions slips under their radar, the team has established digital thresholds for what constitutes a possible red flag — such as transactions made from different countries, unusually high transfers, or money being sent to blacklisted accounts. When a transaction triggers these thresholds, we promptly investigate.  This way, we’re able to identify and examine suspicious behavior from the outset — catching fraudsters or malicious actors before they can do any meaningful damage. 

But combating fraudulent transactions is merely part of the story. As the Trust and Safety Team Lead at N26, Kyle Ferdolage and his team are on the front lines, waging a battle to keep customer data off the dark web and out of criminals’ hands. 

“Our scope is very wide,” says Ferdolage. “Anything where the customer is involved, we’re present.”

In contrast to other security teams, whose focus is on preventing data breaches or stopping illegitimate accounts from being opened, their role is to keep in touch with the pulse of what’s happening in the world of financial crime — and respond to it in a way that protects N26 customers. 

“We try to interpret any chatter we're picking up about N26 and the industry in general and go validate it,” says Ferdolage. Once they’ve identified a clear threat, they take this information to the Product teams, who build new security features to preemptively protect against any vulnerabilities. “The end goal is getting ahead of any scam before it happens.” 

Based on their intelligence, Ferdolage’s team also spearheads external communications about fraud issues, making sure that the right security information is being shared at the right time. They work closely with Customer Support teams to ensure that customers are properly authenticated and receive the right level of support when sensitive security questions arise. The team also runs product and process reviews, identifying and preemptively mitigating any risk of attack.

“You can’t fight fraud if you don’t know what’s out there,” Ferdolage explains. “So, we keep a finger on the pulse … If we know that a certain type of fraud or attack is hitting other banks, we know it’s going to hit us and we prepare for it.” 

This means actively mining the dark web for potential threats. N26 analysts are tasked with analyzing information on dark-web forums, looking for any related keywords or user data that may have been compromised. If they discover exposed user credentials, they immediately alert the security team and the user, which has a real impact for customers.

Sure, the dark web is a scary place, but there are ways you can keep yourself — and your data — safe. 

When it comes to phishing and other scams, Ferdolage and Hofmann both agree that vigilance is key. “I would be shocked if a bank ever called you out of the blue and it was a legitimate phone call,” says Ferdolage. “No bank communicates that way. Similarly, you’re not going to get a text message from your bank saying that your account is compromised.” 

If you receive communication that points you toward a website or URL, examine it carefully before clicking the link or downloading anything. If you see something fishy, don’t engage — contact your financial institution via their website, app, or another trusted entry point. Here are some other quick tips that may help you stay safe from prying eyes:

• Review your bank’s user agreement and policies to learn how they will reach out if there is a problem. 
• Keep your software up to date, and avoid public Wi-Fi whenever possible. 
• Visit haveibeenpwned.com to see if your data has been breached. 

Finally, if you believe you’ve been the victim of fraud, contact your bank immediately. “Be smart,” says Ferdolage, “and, when necessary, be skeptical.” 

At N26, we offer our customers convenient, digital banking — without compromising on security. You get extra peace of mind, thanks to security features such as biometric authentication, smartphone pairing, and 3D Secure technology. Receive instant push notifications for every transaction, so you know what’s happening on your account at all times. Want to know more about staying safe online? Check out our online security guide.