Businesses can learn a thing or two about security in darknet markets

Businesses can learn a thing or two about security in darknet markets

There is no denying that darknet markets and the types of forums where hackers gather are hotbeds of criminal activity.

However, they also present some interesting examples of how legitimate companies can actually learn from those that are on the wrong side of the law.

What we’re talking about is account security and secure logins, and honestly, there are darknet marketplaces that have much stricter login procedures than most banks.

For example, to log in to my bank, I need to provide a customer number and password, and I’m in. My preferred browser can even remember the details, if I’m lazy.

However, to log into a particular darknet marketplace, for example (which I won’t name), the process is much stricter, and for a variety of reasons. For one thing, these markets are often the target of distributed denial-of-service (DDoS) attacks, either by rivals or other threat actors. These attacks can take a site down for hours or days at a time, meaning (admittedly illegal) loss of business for both the site’s operators and the sellers who sell their products there.

To avoid this, darknet markets typically use a series of rotating .onion addresses. As each particular direction falls, another can, in theory, take its place.

Some darknet sites also get around this by assigning a unique .onion address to each user. It’s the equivalent of, instead of logging in to, say, www.my.commbank.com.au, logging in to something like www.davidscommbank1234.com.au, with a set of characters unique to you that can be dialed in safely. and which only you have access to and, as such, cannot be affected by a DDoS campaign.

But there are many other layers of security to get through.

The first is an abstract pattern-matching exercise to keep robots away, which times out every few minutes and needs to be refreshed. Next, users must fill in two missing characters from a section of the .onion address in another puzzle; This ensures that you are, in fact, going to the desired site and not a fake site that will simply steal everything you want. spend.

It’s something that can happen, apparently. Who knew the dark web was so dubious?

Once the address verification is removed, you choose one of a dozen languages ​​to view the next page (and the site itself), and after that, we finally arrive at the login page.

Here you’ll find your usual password and username combination, along with some other authentication factors. There’s another captcha to fill out, this time a six-digit number to read and enter, but there’s also a text field for an additional passphrase, but this is one that was created by the site when you create an account. Technically, this is something only the user and the site know and is fairly easy to remember along with the other login details.

All in all, it’s an impressive system. Even if a user is lazy and uses a name and password they’ve used before, which may well already be truly compromised, the one-time passphrase is still necessary to log into the site.

It makes sense that these sites are so focused on security; after all, they are criminal enterprises. But they are also, at their core, highly efficient e-commerce sites, often international, with escrows of funds and digital wallets for users to store their cryptocurrencies on the site.

Darknet markets protect real money, or at least real value, if you’re one of those people who still can’t see bitcoins as real cash. And they are doing it in a technically impressive way.

I hope my bank catches up with the bad guys.

Leave a Reply

Your email address will not be published. Required fields are marked *