Bad actors leverage a bewildering variety of schemes, including ATOs, credential stuffing and phishing, against merchants.

What all of these attack vectors have in common is that they rely on stolen customer data like email addresses, passwords or Social Security numbers, with fraudsters using these credentials to impersonate others and gain access to accounts or potential targets for additional scams. Fraudsters sometimes gather the data necessary to perpetrate these schemes during previous attacks, but a more likely scenario sees them simply purchasing these credentials in bulk from dark web marketplaces.

Dark web marketplaces are like open-air bazaars for fraudsters, allowing ample stolen data to be purchased and sold — sometimes extremely cheaply. Some hackers earn the bulk of their money by carrying out identity thefts and data breaches and selling the stolen credentials from those attacks to other fraudsters. Some sources estimate that more than 15 billion credentials are circulating the dark web, 5 billion of which are unique username-password combinations that are typically considered more valuable.

The following Deep Dive explores how these credentials wind up for sale on these marketplaces, why they can be so dangerous in the wrong hands and how merchants can protect themselves and their customers from data breaches and cyberattacks that use them.

How Data Ends Up On The Dark Web

Stolen data can make its way onto dark web marketplaces via various avenues, with some of the most high-profile methods consisting of massive data breaches that leak passwords, usernames, email addresses and other sensitive information into cyberspace. The scale of some of these breaches is nothing short of breathtaking. The infamous Yahoo breach in 2013 compromised approximately 3 billion names, email addresses, phone numbers and other login information, for example. Other breaches from household names like Facebook, Marriott and MySpace leaked hundreds of millions of credentials per incident, resulting in untold terabytes of customer information being put up for grabs on dark web marketplaces.

Making this stolen data even more dangerous is the fact that customers are prone to recycling passwords for multiple accounts, meaning that a successful data breach that hits just one website could compromise any accounts that use the same details. Studies have shown that up to 66 percent of consumers use the same password across multiple accounts, despite 91 percent of individuals agreeing that this represents a security risk. Forty-two percent of respondents said that they feel their data is not valuable enough to be worth a hacker’s time, but what they fail to realize is that staging an ATO can take mere seconds.

Once an attacker has a verified set of stolen credentials, there is very little a password-based authentication system can do to keep them away. Merchants must therefore step up their fraud prevention measures to block the use of stolen credentials as well as keep fraudsters from getting their hands on said data in the first place.

How Merchants Can Fight Back

Preventing customers from having their data stolen can be a tall order for merchants, but merchants can take numerous steps to significantly reduce the risk. Experts recommend training employees in security best practices, such as generating unique and strong passwords that fraudsters cannot easily crack and subsequently use to infiltrate businesses’ systems and gain access to customer data. Another common vector for data breaches is phishing, in which bad actors attempt to swindle employees out of their login information to breach company networks. Many company security experts recommend that companies conduct regular phishing drills to educate their employees and test their ability to spot and flag suspicious emails.

Fighting bad actors wielding stolen data is another battle entirely, but one promising anti-fraud method is multifactor authentication (MFA), which requires additional input from customers, such as numeric codes sent to smartphones, rather than just their passwords. These authentication methods can stop bad actors cold by rendering the passwords that have been stolen via data breaches useless. Studies have found that MFA can prevent more than 99 percent of attacks that rely on stolen credentials purchased from dark web marketplaces, making such solutions particularly imposing obstacles for hackers.

All of these solutions are fairly simple for merchants of all sizes to develop and deploy, and they can punch far above their weight in terms of stopping fraud in its tracks. Data breaches and dark web marketplaces will likely never disappear entirely, but taking the appropriate steps to safeguard both businesses’ networks and consumers can significantly curb their impacts.