The concept of a data breach exposing thousands or millions of individuals’ personal information on the dark web emerged as a known threat years ago. And as necessity is the mother of invention, the first dark web identity monitoring services were born. Industry folks watched closely as the first dark web marketplace, Silk Road, came to be in 2011, when 164 million LinkedIn accounts were exposed in a breach the following year, and 3 billion Yahoo accounts were exposed in 2013. Meanwhile, the uninitiated first learned of their PII exposed on the dark web a few years later when their credit card provider or insurance carrier started offering free identity monitoring as a value-add service.
Today, dark web identity monitoring is ubiquitous, and ID monitoring service providers are challenged to differentiate their services from their competition to retain their customers. Here are five key factors to consider when offering a dark web identity monitoring service:
1. Data Quality
Identity monitoring providers are only as good as the data that drives their identity exposure detection and alerting. ID monitoring services need to ensure that any alerts they issue are based on an actual data breach, and not fake breach data inserted by hackers. In addition, the alerts must contain enough contextual information and guidance so that the consumer will know how to respond to the data exposure.
Breadth and Depth of Data
Many breach data providers are focused on credential exposures, turning their attention to the “big” breaches in the news and password combo lists, which represent only a small slice of the total volume of breached data. For every breach that makes headline news, there are hundreds that get no media coverage at all, and while combo lists recycle exposed credentials from an assortment of breaches, they neglect other exposed data like address, telephone number or Social Security number.
Verification of Data
Hackers are typically driven by the prospect of financial gain and breached identity data is incredibly profitable for them. The more data in a breach package, the more a hacker can make when distributing that data set. No strangers to dishonesty, hackers sometimes insert fabricated or duplicated data into a breach package to increase the file size and therefore the selling price. Downstream of these transactions, identity breach data providers capture these breach packages. Without data verification and deduplication, a breach package may be incorrectly attributed to the source of loss or may contain credentials and personal data for users that never joined the breached site, which will lead to a poor user experience, shattering the user’s confidence in their ID monitoring provider.
Actionable and Attributed Data
Actionable and attributed data is the cornerstone of a positive user experience. Imagine receiving a data exposure alert that read, “your data has been exposed on the dark web.” This creates more questions than it answers. Which of my data was exposed? What website or service is this related to? What can I do about this? It is therefore essential to provide specific alerts that are easy to understand and actionable, such as: “your email address and password were exposed in the Acme, Inc breach on 1/1/2022. Immediately change the passwords for all accounts where you’ve used the following password: *****789.”
Customizable Data Policies
Sometimes, exposed personal data cannot be attributed to a source with a high level of confidence. For instance, a user’s exposed credentials may be published in a password combo breach, which combines data from multiple breaches without providing clear attribution. However, the accuracy of this data can still be verified, making knowledge of this exposure very relevant and actionable to the end-user. Unfortunately, many identity breach data providers do not distinguish between attributed, unattributed, and combo-list breaches, making their alerts non-actionable. Providing attribution for a breach, without proper justification, can also create a legal risk, should a claimed breach source be inaccurate or not legally justifiable. Therefore, ID Monitoring services should seek data providers that can delineate attributed and unattributed breaches, giving the ID Monitoring provider the necessary precision and confidence to build the best possible user experience.
2. International Coverage
Widespread demand for dark web identity monitoring services first sprouted in the North American market, and a few years later emerged in the European market. These pioneer regions spearheaded consumer protection frameworks such as GDPR in the European Union and CCPA in California, indicating a maturing market and further legitimizing the identity protection space. Today, we’re seeing rapid growth in demand for dark web identity monitoring in Latin America, Asia Pacific and Australia, the Middle East, and India. As providers expand into these emerging markets, they increasingly rely on data providers to curate quality, actionable data from around the globe.
Beyond mere data coverage for these regions, high quality and actionable identity exposure alerts come from a provider that can tune in to nuances in identity data from every country and do so in the end-user’s preferred language. Consider many countries that use their citizens’ tax identification number as the primary government ID number (much like Social Security Number is used in the US), whereas some countries have a national ID card, and some implement both. A dark web identity monitoring service should seek out a breach identity data provider that understands country-specific ID number formats, and that can deliver alert messaging localized in the end-user’s preferred language.
3. Breadth of Coverage
Consumer ID monitoring services are often focused on credential exposures, as this is often the easiest story to tell users: the average person has 30 online accounts and reuses 3-4 passwords across all of them; therefore, a credential exposure puts you at risk for account takeover on 25% of your online accounts or more! While that approach is valid and every user can benefit from strong unique passwords, there’s a broad set of exposed data out there, beyond exposed passwords, that malicious actors are exploiting every day. The wide variety of exposed data types allows threat actors to send credible, targeted phishing emails, associate a phone number to your identity and send smishing messages, use unique information about users to answer security challenge questions on a password reset form, or simply commit identity theft, leaving the victim in financial despair.
Consumer ID monitoring services should seek out identity breach data providers that focus beyond just exposed credentials and can alert on a broad set of attributes such as: social security number, national ID number, passport number, phone number, address, bank account numbers, credit and debit card numbers, and support multiple email addresses per user to name a few.
4. Operational Impact
When you’re in the business of informing your customer of an unfortunate exposure of their personal data by an organization they trusted, you’re bound to get some questions from users. This is to be expected, so ID monitoring service providers staff call centers with employees trained to address customer questions. These call centers are expensive, so, it behooves the provider to design their service with the operational impact in mind. For example, earlier we discussed the importance of actionable and attributable alerts – explaining to the user what happened, when it happened, who was breached, what was exposed and what they should do about. Alerts that do not provide this level of detail can result in customer confusion and cause an increase in the number of helpdesk calls, thus driving up over all costs and lowering customer satisfaction. But even still, questions from customers are expected. You can reliably estimate the proportion of your alert recipients that will call in, but you cannot forecast when a breach will happen or how many of your customers will be impacted.
Consumer ID monitoring service providers should seek out identity breach data providers that can give advanced notice of a large breach in the ingestion pipeline, provide insights into how many users are impacted by the breach, and throttle the alert delivery to a specified number of alerts per day, thus avoiding any spikes in help desk calls. These powerful features can dramatically improve operational integrity by allowing providers to adequately staff call centers and maintain a high quality of customer service without incurring budget-breaking costs.
Finally, among the most damaging mistakes an ID monitoring service can make is delivering an alert to an unintended recipient and potentially revealing someone else’s personal information. The litigation risk of revealing another user’s information aside, an incorrectly delivered alert can have the same negative impact as an alert that is not actional or correctly attributed.
How can this happen?
Consider your home address–– it’s very likely you’re not the first person to live there and the previous tenant or owner once had a claim to that address. Should an ID monitoring service provider deliver an alert that matches their user’s address, how can they be certain the exposure relates their customer? Therefore, it is important to choose an identity breach data provider that offers identity disambiguation, which – in simple terms – considers multiple data points to validate the intended alert recipient. In this case, an alert would be generated if the exposure record contains the end user’s address and name, for example. While it is possible that a former resident of the user’s address shares a name with the current tenant, it is highly improbable, and therefore, such a simple disambiguation step can dramatically increase the confidence level that an alert is being delivered to the intended recipient.
5. Alert Scoring
We’ve discussed the importance of proper attribution, accuracy, and data quality. But we’ve also recognized that even when attribution is not possible, the breach data may still serve to protect the end-user from identity theft damages. Beyond consumer identity theft protection use-cases, breach data sets that cannot be attributed or verified may still be of value (for fraud detection, for example). But how does an ID Monitoring service provider distinguish the various levels of validation from one alert to another? Scores. A quality identity breach data provider can deliver scores with each alert, such as “attribution score,” “authenticity score,” and “confidence score,” each indicating a confidence level in attribution, confidence level in data authenticity and overall confidence level in data quality. From there, the ID monitoring service provider can fine-tune the user experience.
How Can Constella Help?
Over the past year, Constella Intelligence detected 66,000 breaches which contained 42 billion personal records. This information now circulates on the deep and dark web. In total, Constella’s curated data lake of exposed identity data contains over 12 billion exposed passwords, 66 billion exposed identity records, and 131 billion curated identity attributes. Our identity breach data service is built upon this industry leading data lake, with support for monitoring over 40 consumer and business data attributes and delivering alerts in over 30 languages. Constella’s massive repository of breach data has been carefully validated for attribution and authenticity, allowing us to not only serve a broad and deep data set, but ensure the alerts we deliver are of the upmost quality. Constella recognizes national ID and tax ID number formats for over 45 countries and captures breach data from all over the globe.
Constella’s dark web identity monitoring is designed with your operation in mind, delivering carefully validated alerts at your specified pace, including attribution and authenticity scores, clear recommendations for remediations localized in your end-user’s preferred language, and support for a comprehensive set of attributes available for monitoring.
