US Treasury Dept: Banks Should Block Tor Nodes 84
tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.
Tor WWW (Score:1)
Tor is easily identifiable as "You came from Tor!" even when it tries to hide your identity. Small places can identify you as "My one user who uses Tor..." and large places can say "That's Tor... NO SOUP FOR YOU!". So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service.
Re: (Score:2, Informative)
"So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service."
Wrong. Nothing prevents a Tor user from browsing through 1, 2, 3, or more web proxies which further prevents them from being spotted as a Tor user or a Tor user using just 1 proxy.
BrowserSpy has a nice proxy detection option. If you're going through Tor and then a web proxy, you can check proxy detection:
http://browserspy.dk/ [browserspy.dk]
No proxy is the best answer. Now you go find another web proxy, and anot
Re: (Score:2)
if you were doing a withdrawl, wouldn't the bank know it's not a web browser if the criminal had some hidden command line code running trying to say transfer money via the bank website?
Re: Sounds stupid (Score:2, Informative)
There are a few ways around this, the easiest is to just run an anonymous proxy server on their computer (one that runs without a GUI so it's invisible) and then run your browser through that.
When I traveled I used to have a proxy server running at home so if I had to make it look like I was coming from home I could.
You could also run a VNC server on their computer and actually open a browser on their screen, you just have to check if their monitor is off first which is possible with the Windows API, you co
Re: (Score:1)
It sounds stupid because it is. Tor is just a 'proxy' for scapegoating anonymity. Crime is still done the old fashion way. In fact, a smart criminal would avoid Tor. Damn thing is just a honeypot anyway.
Initially, I worried (Score:1)
However, the advice does make sense. There is no legitimate reason to connect to a bank through TOR (the bank already knows who you are), and anon attacks are much easier to keep anon if they come from TOR.
Re: (Score:1)
Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.
Re: (Score:2, Informative)
Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.
Says who?
Go and try to use your Credit Card in another country, in quick succession over a short period (say 24 hours) and then see how they may put a freeze on that card, and then require you to phone them up to unfreeze it and then get asked (quite rightly) a number of questions relating to where and when you made those transactions.
This is no different in effect.
I thank them for that frankly - I've had a few cases of my card being 'used' elsewhere after having travelled extensively for business in variou
Re: (Score:2)
I say my bank does have business knowing where I am accessing from. And indeed, it requires a second authentication factor if it doesn't identify my location. Blocking access from inside a known "darknet" seems like an obvious and prudent precaution to me. Anything involved in the security of account access is the literal business of both the bank and the client.
Re: (Score:2)
A compromise would be to let customers indicate whether they want or need to use anonymiser services (wither TOR or conventional proxies). Much like customers who do/don't use their credit cards overseas. Very very few customers would choose this (or even understand the option), so it wouldn't reduce the protective effect compared to a blanket ban on TOR.
Re: (Score:2)
It also might have very little utility. In addition to few customers using TOR to connect to banking services, what is the account termination rate of those users? Is it higher than average? I would assume that it is not only above average, buy way above average. I'd go so far as to make a wild guess that if a user consistently uses TOR to connect to their bank, they have a less than 25% chance of that account still being open and in good standing in 2 years.
It is like porn and merchant accounts. It isn't t
Re: (Score:1)
Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.
That sort of information can be used as part of fraud detection.
Re: (Score:2)
And it can be used to identify whether you are a valuable customer or not so much. And it can be sold to others or gotten via NSL. Seriously, stop being dumb sheep.
Re: (Score:1)
I'm pretty sure the bank can identify "valuable customers" based on their existing accounts, don't you think? Why would that worry you, and how do you think an IP address would play into it? I'm pretty sure there is more value to the bank in preventing an incidence of fraud than the incredibly minute value of an IP address on the market, and who would legitimately buy it? For what purpose? That seems like nonense. Why does the NSL bother you? Up to no good?
The issue here is shady dealings, not sheep.
Re: (Score:1)
Most big hackers already do.
Blocking Tor people feel more secure, but that's about all it will do.
Blocking Tor solves nothing (Score:5, Insightful)
Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.
Re: (Score:2)
OK, then, don't block everything from TOR nodes. Better to go phishing for criminals. They should allow logins to be attempted, but then block the login from occurring (regardless of whether the password was valid). They should then alert users to login attempts from TOR, and potentially freeze their access until their passwords can be reset.
Re: (Score:2)
How about just requiring (and supplying) two-factor authentication for TOR connections? Or even for all connections?
Craigslist already does this... (Score:2)
Re:Craigslist already does this... (Score:4, Insightful)
I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...
Simply because the banks are not responsible for the losses?
The summary said "nearly $24 million in bank account takeovers by hackers", see? The banks simply pass the loss to their customers by calling it identity theft! Hey, you account has been taken over by hackers! Your loss.
In countries where the banks themselves are responsible for these losses (they called these, rightly, fraud against the bank), you see banks taking measures to stop these thefts. In the US, the banks simply don't care.
Missing info (Score:5, Interesting)
Re: (Score:2)
I came looking for this. I have a few good reasons for visiting my bank via Tor, and the truth is that I would leave the bank if Tor were blocked.
Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".
Re:Missing info (Score:5, Interesting)
I have a few good reasons for visiting my bank via Tor,
Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.
Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".
Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.
Re:Missing info (Score:5, Insightful)
Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.
Re: (Score:2)
Exactly. The bank needs to know that I'm visiting. Nobody else does.
HTTPS ensures that I can trust that what I see came from the bank. Tor ensures that nobody other than the bank knows that I was there.
Re: (Score:2)
I have a few good reasons for visiting my bank via Tor,
Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.
You are correct in asserting that the bank will know it's me. But nobody else needs to know that I've visited my bank. My ISP, government, and neighbours on wifi don't need to even know that I have a bank account.
Re: (Score:2)
It sounds like you should be using a VPN instead of a dark net with an exit gateway.
Re: (Score:2)
Your ISP is paid for somehow. Probably a credit card, tied to a bank.
The government ALREADY KNOWS you have a bank account! In fact, they probably already know how much is in it, and how much profit you made in your savings account, your trading account, etc.
Neighbours on WiFi? What, you running an
Re: (Score:2)
You wouldn't need anonymity, but you may need to proxy for other reasons. Going on holiday, and the local government blocking your bank's site as an agent of western oppression?
Re: (Score:2)
My bank requires the removal of sunglasses before entering the bank, a policy I happily comply with. I take them off at the ATM, too, just to be polite.
$24 Million over a Decade (Score:2, Insightful)
This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.
That's nothing (Score:5, Interesting)
A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.
It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!
24 millions? Pfffft, why're we even talking about chump change?
Not a strong chain if the IP is the strongest link (Score:5, Interesting)
There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.
If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.
Re: (Score:2)
It's not meant to be the strongest link in the chain. Just a link in the chain. If, every time someone connects in a suspicious way, you call their cell-phone to verify, or ask for an extra one-time password, or at the very least send them an email, then you can detect/prevent a lot of fraud. (This applies not only to Tor, but to any type of "unusual" connection, for example connecting from Russia five minutes after using a credit card in the U.S.)
Real reason (Score:2)
Treasury dept wants to make sure that as much information as possible is gathered about when, where and how you make transactions involving your money at your banking institution. Why? Becasue you might be a naughty boy. I'll leave it to others to define "naughty".
Re: (Score:2)
There are two elements here -
the more general: there is a good chance they can currently monitor your contact with your bank without the need to get a warrant for transactional information from the institution.
the less general: even if they are able to get transactional info, by using Tor you have made it difficult for them to determine your location.
Of more interets in TFA (Score:2)
This is of course complete nonsense (Score:2)
Sure, these attacks came over TOR. But blocking TOR would have done exactly nothing to prevent them, as attackers would the just have uses slightly more expensive hacked computers to carry out the attacks.
Re: (Score:1)
Re: (Score:2)
Blocking the apparent source IP's is useless it may even help the use better means. Flagging the transactions for further inspection without letting on to the source could be rather useful. A block just means the attacker moves to a different vector say routing through a botnet. Hell low tech and a router on a cantenna to a mcdonalds wifi half a mile away.
Re: (Score:2)
Fix the authentication system to prevent credential replay attacks, maybe? Two factor authentication? Client certificate validation? "We don't recognize the computer you're connecting from, so we're gonna send you a code in an SMS message or email", even.
Re: (Score:3)
Well ... I worked for a company who dealt with lots of PII (like, info on *every* person in the US). We put together a system to monitor what TOR nodes existed, and compared attacks to TOR nodes. It was significantly used as an attack vector, not only because of the anonymity, but because the attacker could change IPs frequently. Not a single legitimate user used TOR.
We decided it was worth protecting our users, and the PII of everyone in the US, to refuse any traffic from TOR.
Banks doing the same
I've always wondered (Score:2)
Already doing it some places (Score:3)
$24 million out of how much? (Score:2)
$24 million sounds like a lot, but it is just a fraction of what was lost to hackers. Tor is an easy target, though, it will have little impact. It lets the country think something is being done, but it will have little impact. It's kind of like going after college kids for downloading songs and movies when in SE Asia, they are being duplicated by the truck load for resale.
Tor just makes it hard to track who did it. Banks and financial institutions need to beef up their security regardless of tor or not.
Banking is so insecure... (Score:3, Interesting)
$24m over 10 years, so what? (Score:1)
Re: (Score:1)
Number of players 0 (Score:2)
Sometimes it is better to live with risk which at least offers some useful feedback.
Going forward with a token reaction sure to be trivially countered in short order very likely will also carry side effect of reducing your ability to detect future fraudulent activity.
If not Tor it will be a botnet if not a botnet it will come from some rinky dink VPS.
Much better to invest in technological solutions to address root cause such as distribution of hardware keys less susceptible to electronic theft.
Iyam who Iyam, regardless of IP (Score:2)
I have an agreement with my bank. If I present certain identifying information, they give me access to my accounts. Why would this change if I access their servers from another IP address?