Experian and many other companies are pushing “dark web scans.” They promise to search the dark web for your personal information to see if criminals are selling it. Don’t waste your money.
What is the Dark Web?
The “dark web” consists of hidden websites that you can’t access without special software. These websites won’t appear when you use Google or another search engine, and you can’t even access them unless you go out of your way to use the appropriate tools.
For example, the Tor software can be used for anonymous browsing of the normal web, but it also hides special sites known as “.onion sites” or “Tor hidden services.” These websites use Tor to cloak their location, and you only access them through the Tor network.
RELATED: What Is the Dark Web?
There are legitimate uses for Tor hidden services. For example, Facebook offers a Tor .onion site at facebookcorewwwi.onion, which you can only access while connected to Tor. This allows people in countries where Facebook is blocked to access Facebook. The DuckDuckGo search engine is available at a Tor hidden service address, too. This could also help evade government censorship.
But the dark web is also used for criminal activities. If you’re going to sell databases of people’s credit card and social security numbers online, you want to hide your location so the authorities won’t swoop in. That’s why criminals often sell this data on the dark web. It’s the same reason why the infamous Silk Road website, and online black market for drugs and other illicit things, was only available through Tor.
They’re Not Scanning the Entire Dark Web
Let’s get one thing straight: These services are not scanning the entire dark web for your data. That’s just impossible.
There are 1,208,925,819,614,629,174,706,176 possible site addresses on the dark web, and that’s just counting Tor .onion sites. It wouldn’t be possible to check each one to see if they’re online and then also look for your data on them.
Even if these services were scanning the entirety of the public dark web—which they’re not—they wouldn’t be able to see the exclusive stuff anyway. That would be exchanged privately and not made public.
What Does a “Dark Web Scan” Do, Then?
No company that offers a “dark web scan” will tell you what they do, but we can certainly make an informed guess. These companies are gathering data dumps made public on popular websites on the dark web.
When we say “data dumps,” we’re referring to big databases of usernames and passwords—as well as other personal information, like social security numbers and credit card details—that are stolen from compromised websites and released online.
Rather than scanning the dark web, they’re scanning lists of leaked passwords and personal information—which, admittedly, are often found on the dark web. They’ll then inform you if your personal information is found on one of the lists they could get their hands on.
However, even if a dark web scan says you’re fine, you might not be—they’re only searching the publicly available leaks to which they have access. They can’t scan everything out there.
How to Monitor Data Breaches for Free
Behind all the “dark web scan” hype, there’s a somewhat useful service here. But, guess what: You can already do much of this for free.
Troy Hunt’s Have I Been Pwned? will tell you whether your email address or password appears in one of 322 (and counting) data dumps from websites. You can also have it notify you when your email address appears in a new data dump.
This service doesn’t scan to see if your social security number is included in any of these leaks, as dark web scans promise to do. But, if you’re just looking to see if your credentials have leaked, it’s a useful service.
As always, it’s a good idea to use unique passwords everywhere. That way, even if your email address and password from one website appear in a leak, criminals can’t just try that combination on other websites to gain access to your accounts. A password manager can remember all those unique passwords for you.
Face the Facts: Your Data Is Already Stolen
You might still be thinking a dark web scan could be useful. After all, it tells you whether your social security number appears in any data dumps. That’s useful, right?
Well, not necessarily. Look, you should probably assume that your social security number has already been compromised and criminals can access it if they like. That’s the harsh truth.
Huge breaches have been coming hard and fast. Equifax leaked 145.5 million social security numbers. Anthem leaked the information of 78.8 million people, including social security numbers. The United States Office of Personnel Management (OPM) leaked sensitive information on 21.5 million people, too—again, including social security numbers.
Those are just a few examples. There have been many other leaks over the years—a few million here, a few hundred thousand there. And that’s just the data breaches that have been publicly reported. Statistically speaking, most Americans have probably had their social security numbers leaked in at least one of these data breaches by now. The genie is out of the bottle.
Freeze Your Credit; It’s Free Now
If you’re concerned about someone abusing your social security number, we recommend freezing your credit reports. Credit freezes (and unfreezes) are now free across the entire USA.
When you freeze your credit, you’re preventing people from opening new credit in your name. Any lending institution won’t be able to pull your credit until you unfreeze it or provide a PIN. You can temporarily unfreeze your credit when you want to apply for credit—for example, when you’re applying for a credit card, car loan, or mortgage. But a criminal shouldn’t be able to apply for credit with your personal information if your credit reports are frozen.
We recommend just freezing your credit reports and skipping the dark web scan. Unlike a dark web scan, credit freezes are free. They also do something—even if your social security number is found in a dark web scan, all you can do is freeze your credit anyway. And criminals might get their hands on your social security number even if it doesn’t appear in a dark web scan.