Share this article on:
There’s no denying that darknet marketplaces and the kinds of forums where hackers meet are hotbeds of criminal activity.
However, they also present some interesting examples of where legitimate businesses can actually learn from those on the wrong side of the law.
What we’re talking about is account security and secure logins, and honestly, there are darknet markets that have far more stringent login procedures than most banks.
For instance, to log into my bank, I need to supply a customer number and password, and I’m in. My browser of choice can even remember the details, if I’m feeling lazy.
However, to log in to a particular darknet market, for instance – which I won’t name – the process is far more stringent, and for a range of reasons. For one, such markets are often targeted by distributed denial-of-service (DDoS) attacks, either by rivals or other threat actors. These attacks can take a site down for hours or days at a time, which means a loss of (admittedly illegal) business for both the site operators and the vendors who ply their wares there.
To get around this, darknet marketplaces often use a series of revolving .onion addresses. As each particular address goes down, another can – in theory – take its place.
Some darknet sites also get around this by assigning a unique .onion address for each user. It’s the equivalent of instead of logging on to, say, www.my.commbank.com.au, you log on to something like www.davidscommbank1234.com.au, with a set of characters unique to you that can be safely bookmarked, and that only you have access to – and as such, it cannot be affected by a DDoS campaign.
But there are many other layers of security to pass through.
First up is an abstract pattern-matching exercise to keep out bots, which times out every few minutes and needs to be refreshed. Next, users are required to fill in two missing characters from a section of the .onion address in another puzzle – this ensures that you are, in fact, going to the intended site and not a spoofed site that will just rob you of anything you spend.
It is a thing that can happen, apparently. Who knew the darknet was so dodgy?
With address verification out of the way, you pick one of about a dozen languages to see the next page – and the site itself – in, and after that, we finally get to the login page.
Here you’ll find your usual password and username combination, alongside a few other authentication factors. There’s another captcha to complete, this time a six-digit number to be read and entered, but there’s also a text field for an additional passphrase – but this is one that was created by the site when an account is created. Technically, this is something that only a user and the site know and is easy enough to remember alongside the other login details.
Taken altogether, it’s an impressive system. Even if a user is lazy and uses a name and password they’ve used before, which could well be well and truly compromised already, the unique passphrase is still needed to log into the site.
It makes sense that these sites are so security-focused – they’re criminal enterprises, after all. But they’re also, at their heart, highly efficient, often international e-commerce sites, complete with escrow of funds and digital wallets for users to store their cryptocurrency onsite.
Darknet markets are protecting real money – or at least real value, if you’re one of those people who still can’t see bitcoins as actual cash. And they’re doing it in a technically impressive way.
I look forward to my bank catching up with the bad guys.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.