Some cybercrime doesn’t even take the effort of a hack to make a payday. It’s as easy as shopping online. Computer security journalist Brian Krebs says would-be fraudsters have only to visit an online shop that offers buyers SSNs, stolen credit card numbers and stolen W-2 data on real people. One such vendor, Krebs writes, had as many as 3,000 W-2 data packages for sale, each carrying the employer name, EIN, mailing address, SSN and 2016 wages, and withholding amounts of an actual taxpayer.
While there are ways to prevent identity-theft-driven tax fraud, prosecution of hacking or identity theft cases remains a hit-and-miss affair. Have you ever wondered how these cyber-thieves manage to remain just out of reach for most prosecution? For that, we have to go to a portion of the internet that is largely unexplored.
The Dark Side of the Web
The phenomenon is called darknet or the Dark Web. It exists to provide a curtain of anonymity for its citizens, no matter how lawful their actions or intentions may be. Users’ identities are cloaked against detection from law enforcement, hackers and government authorities.
Standard web browsers and search engines don’t even see darknet websites. Without the special encryption software and proprietary web browsers of each network, outside users don’t have a chance of accessing any of the sites within.
Granted, there may be an upside to the darknet. It provides a safe haven for whistleblowers to report misconduct in business and government; it’s a meeting place for oppressed citizens in countries where freedom of speech or religion isn’t a given right; and the darknet is big for matchmaking services who stress privacy for their clients.
According to TechRepublic’s Dan Patterson, like any other neighborhood, the darknet is patrolled regularly:
“The web's substratum is populated by mainstream web companies like Facebook, political activists and journalists who need to communicate and share sensitive information. The United Nations, FBI and CIA use the encrypted internet to monitor terror groups and keep tabs on criminal profiteers. Corporate IT departments frequently crawl the Dark Web in search of stolen corporate credit card information and compromised accounts.”
But the darknet definitely has a dark side. It’s a black market where all sorts of stuff – legal and otherwise – is regularly bought and sold. This is where hackers and identity thieves can do their business in the open, selling SSNs and stolen credit card numbers. If your identity gets stolen, it can be bought and sold here.
IBM’s developerWorks blog says darknet crime bazaars sell stolen credit card numbers for as little as $1 each. A stolen SSN with valid birth dates is worth $15, while the big money – around $60 – goes for health care records, which can contain Social Security numbers and other valuable data in one, no-expiration-date package. With any of this data, the identity thief can open new credit accounts, file fraudulent income tax returns or get loans.
How do they pay for this stuff? Regular credit cards can’t be used, since those transactions can be traced. Instead, virtual cash such as Bitcoin is the national currency of the darknet. Virtual currency transactions are totally anonymous using account numbers, not names, for buyers or sellers.
Escrow services add another layer to the Bitcoin security, ensuring separation between buyer and seller. An escrow service verifies the buyer has the money to pay for the item or service, holds the funds for the seller, then verifies the product has arrived at the buyer or that the service has been completed, then releases the escrowed funds. An escrow service can be a third-party provider or may be provided by the darknet marketplace itself.
More Than One Kind of Dark
There are a number of darknets, which in the strictest sense, can be any internet-based network that is closed to the casual user. One of the largest and most successful is TOR (which stands for “The Onion Router”); members can access the TOR network (think layers, like an onion) using their proprietary web browser. All sites on the TOR net end with its signature “.onion” domain name.
Another popular darknet is I2P, “The Invisible Internet Project.” Said to be slower than TOR, I2P also has the reputation of being even more difficult to crack and resistant to law enforcement surveillance efforts.
It should be noted that the darknet should not be confused with the term “deep web,” which is that portion of the standard internet that isn’t accessed by Google and other search engines. While some people use the two terms interchangeably, they are distinctly different.
Bring Some Light to the Dark
While most of us don’t have the computer resources to track down an identity thief, we do have the ability to thwart their efforts.
- Brian Krebs recommends filing income tax returns early, before the fraudster does. The first return through the IRS’ door wins the race.
- Krebs also recommends getting a free copy of your credit report – and doing it every year. Review it, and if no suspicious activity surfaces, order the credit bureaus to freeze your credit file, ensuring a credit account isn’t started without your knowledge.
- Taxpayers who might become a victim of identity theft (or have already fallen victim) can use Form 14039 to request an Identity Protection PIN from the IRS. The IRS will issue a new IP PIN each year.
The Security Summit is made up of officials from the IRS, state tax agencies and leading partners in the income tax industry.
Taxpayers can read more about the Security Summit and its efforts at its Taxes. Security. Together. website.
Tax professionals can consult the IRS’ web page Protect Your Clients; Protect Yourself for the latest in alerts and defenses for tax preparers.