The VICE Channels

    Some Dark Web Markets Have Better User Security than Gmail, Instagram

    Written by

    Joseph Cox


    Photo: Paul Bradbury/Getty Images

    By themselves, passwords are just not good enough for ensuring the security of an account. In response, some companies have introduced two-factor authentication (2FA), meaning that a suspicious login attempt needs to be cleared by the user with another piece of information, such as a code sent to their mobile phone.

    But, in this regard, some dark web markets arguably have even better user security than many large, online services.

    Probably the most cautious is AlphaBay, a site selling drugs, stolen data and hacking tools. AlphaBay recently required all vendors to use two-factor authentication on their accounts.

    “We now enforce mandatory 2FA (two-factor authentication) for all vendors. This is part of an increasing effort to stop phishing on the marketplace. We recommend that everyone uses 2FA for more security,” reads an announcement on the AlphaBay site posted earlier this month.

    AlphaBay’s two-factor authentication uses PGP encryption. Users upload a public key to their profile, and then every time they log in, the site presents a message encrypted just for them. The visitor then needs to decrypt this, and enter the 16 character code nestled within. Naturally, only someone with the correct PGP secret key should be able to log into the account, keeping any bitcoins stored with the site or private messages that much safer.

    Those with buyer accounts can also use two-factor authentication, but it’s not mandatory. When making a buyer test account on Wednesday, however, this reporter was prompted to go through the two-factor authentication process after uploading a PGP public key.

    Of course, this is not to claim that, say, Google, as a company has worse security overall than an illegal marketplace

    Other dark web markets, such as Valhalla and Outlaw, also allow users to log in by decrypting a PGP message, but it is not mandatory on either of those sites.

    AlphaBay also gives users a mnemonic: a list of seven words that have to be used in order to recover a lost password. If the user doesn't remember or make a safe record of that phrase, then their password is lost forever, the site claims. Plenty of sites, including AlphaBay, also require users to enter a PIN number in order to withdraw bitcoins from their account.

    Quite a few mainstream services do allow two-factor authentication if the user wants to enable it. Google has it, to protect cloud storage and emails. Dropbox uses it too, and Instagram just introduced it last month.

    The thing is, for all of these companies, two-factor authentication is optional. For AlphaBay vendors, however, irrespective of whether they're selling heroin, rifles, or a piece of malware, they all have to use two-factor authentication. Arguably, that's an improvement over many everyday sites.

    Of course, this is not to claim that, say, Google, as a company has worse security overall than an illegal marketplace. Plenty of dark web sites have been hacked over the years, resulting in millions of dollars worth of bitcoin being stolen. But enforcing two-factor authentication when plenty of companies are only just introducing it at all displays an interesting disconnect between the security of illicit and legal sites.