More and more companies are trying to scare the willies out of Joe User about their personal information possibly being traded on the “dark web”.
Hmm. The truth is that, more often than not, you don’t have to go as far as the dark web to find users’ identities and personal information. Often personal data is being shared in broad daylight. Perhaps it has even been openly traded on Facebook… for years.
With no special tools, and just Facebook’s rudimentary search facility, Krebs uncovered over 100 forums that have been engaged in identify theft, credit card fraud, spamming, and denial-of-service attacks.
Virtually all the groups made no special effort to hide the criminal activity they were engaged in, openly advertising what they were about in their group names.
In total, Krebs counted more than 300,000 members of these groups – a staggering figure even if you consider that there was likely to be some overlaps in membership. And approximately ten percent of the groups had been active on Facebook for more four years (some had existed as long as *nine* years) without apparently being on the receiving end of any hassle from Facebook itself.
Krebs tipped off Facebook, who quickly shut down the pages. But why wasn’t something done sooner by Facebook itself?
The problem is that Facebook doesn’t care. Although it’s quite capable of writing code that might detect some of these suspicious groups and report them to its security teams (after all, it seems to have no trouble building far more complicated facial recognition code when it suits them) it would prefer to leave it to Facebook users to police the site for them.
Brian Krebs only spent a couple of hours looking for Facebook groups engaged in criminal activity, and he limited himself to English-speaking forums and groups with more than 25 members.
There will be more offending Facebook groups out there, but Facebook is waiting for people like you to tell them about it.
The fact that these groups existed unchallenged for up to nine years suggests that Facebook is simply not interested in proactively hunting for them itself.
Maybe you shouldn’t worry quite so much about the dark web, and concern yourself more about the regular web instead.
You can hear more discussion about this topic, and much more besides, in the latest episode of the “Smashing Security” podcast: