Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Government The Internet United States

US Treasury Dept: Banks Should Block Tor Nodes 84

tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.
This discussion has been archived. No new comments can be posted.

US Treasury Dept: Banks Should Block Tor Nodes

Comments Filter:
  • Tor is easily identifiable as "You came from Tor!" even when it tries to hide your identity. Small places can identify you as "My one user who uses Tor..." and large places can say "That's Tor... NO SOUP FOR YOU!". So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      "So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service."

      Wrong. Nothing prevents a Tor user from browsing through 1, 2, 3, or more web proxies which further prevents them from being spotted as a Tor user or a Tor user using just 1 proxy.

      BrowserSpy has a nice proxy detection option. If you're going through Tor and then a web proxy, you can check proxy detection:

      http://browserspy.dk/ [browserspy.dk]

      No proxy is the best answer. Now you go find another web proxy, and anot

  • by Anonymous Coward

    However, the advice does make sense. There is no legitimate reason to connect to a bank through TOR (the bank already knows who you are), and anon attacks are much easier to keep anon if they come from TOR.

    • by gweihir ( 88907 )

      Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

        Says who?

        Go and try to use your Credit Card in another country, in quick succession over a short period (say 24 hours) and then see how they may put a freeze on that card, and then require you to phone them up to unfreeze it and then get asked (quite rightly) a number of questions relating to where and when you made those transactions.

        This is no different in effect.

        I thank them for that frankly - I've had a few cases of my card being 'used' elsewhere after having travelled extensively for business in variou

      • I say my bank does have business knowing where I am accessing from. And indeed, it requires a second authentication factor if it doesn't identify my location. Blocking access from inside a known "darknet" seems like an obvious and prudent precaution to me. Anything involved in the security of account access is the literal business of both the bank and the client.

        • A compromise would be to let customers indicate whether they want or need to use anonymiser services (wither TOR or conventional proxies). Much like customers who do/don't use their credit cards overseas. Very very few customers would choose this (or even understand the option), so it wouldn't reduce the protective effect compared to a blanket ban on TOR.

          • It also might have very little utility. In addition to few customers using TOR to connect to banking services, what is the account termination rate of those users? Is it higher than average? I would assume that it is not only above average, buy way above average. I'd go so far as to make a wild guess that if a user consistently uses TOR to connect to their bank, they have a less than 25% chance of that account still being open and in good standing in 2 years.

            It is like porn and merchant accounts. It isn't t

      • Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

        That sort of information can be used as part of fraud detection.

        • by gweihir ( 88907 )

          And it can be used to identify whether you are a valuable customer or not so much. And it can be sold to others or gotten via NSL. Seriously, stop being dumb sheep.

          • I'm pretty sure the bank can identify "valuable customers" based on their existing accounts, don't you think? Why would that worry you, and how do you think an IP address would play into it? I'm pretty sure there is more value to the bank in preventing an incidence of fraud than the incredibly minute value of an IP address on the market, and who would legitimately buy it? For what purpose? That seems like nonense. Why does the NSL bother you? Up to no good?

            The issue here is shady dealings, not sheep.

  • by Anonymous Coward on Saturday December 06, 2014 @12:55PM (#48538657)

    Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.

    • by Ken_g6 ( 775014 )

      OK, then, don't block everything from TOR nodes. Better to go phishing for criminals. They should allow logins to be attempted, but then block the login from occurring (regardless of whether the password was valid). They should then alert users to login attempts from TOR, and potentially freeze their access until their passwords can be reset.

      • by suutar ( 1860506 )

        How about just requiring (and supplying) two-factor authentication for TOR connections? Or even for all connections?

    • I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...
      • by khchung ( 462899 ) on Saturday December 06, 2014 @08:01PM (#48540399) Journal

        I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...

        Simply because the banks are not responsible for the losses?

        The summary said "nearly $24 million in bank account takeovers by hackers", see? The banks simply pass the loss to their customers by calling it identity theft! Hey, you account has been taken over by hackers! Your loss.

        In countries where the banks themselves are responsible for these losses (they called these, rightly, fraud against the bank), you see banks taking measures to stop these thefts. In the US, the banks simply don't care.

  • Missing info (Score:5, Interesting)

    by Anonymous Coward on Saturday December 06, 2014 @12:56PM (#48538671)
    The importance is not how many wrong/hacked/whatever amount of money came, but what is the percentage legit versus non elgit transaction. If the percentage was 10% (240 M$ per year Zx, 24M$ hacked) and you compare to the real world and , say 1T$, 3B$ hacked then it looks bad in comparison and there is a ground bank might think forbidding Tor. On the other hand if the % is reversed (% hacked/total) and there is more illegit Tx outside Tor then the discussion is not warranted. That info is missing. Without it nothing can be decided, except that the US governement does not like TOR maybe.
    • I came looking for this. I have a few good reasons for visiting my bank via Tor, and the truth is that I would leave the bank if Tor were blocked.

      Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

      • Re:Missing info (Score:5, Interesting)

        by vux984 ( 928602 ) on Saturday December 06, 2014 @02:30PM (#48539073)

        I have a few good reasons for visiting my bank via Tor,

        Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

        Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

        Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.

        • Re:Missing info (Score:5, Insightful)

          by suutar ( 1860506 ) on Saturday December 06, 2014 @02:40PM (#48539117)

          Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.

          • Exactly. The bank needs to know that I'm visiting. Nobody else does.

            HTTPS ensures that I can trust that what I see came from the bank. Tor ensures that nobody other than the bank knows that I was there.

        • I have a few good reasons for visiting my bank via Tor,

          Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

          You are correct in asserting that the bank will know it's me. But nobody else needs to know that I've visited my bank. My ISP, government, and neighbours on wifi don't need to even know that I have a bank account.

          • It sounds like you should be using a VPN instead of a dark net with an exit gateway.

          • by tlhIngan ( 30335 )

            You are correct in asserting that the bank will know it's me. But nobody else needs to know that I've visited my bank. My ISP, government, and neighbours on wifi don't need to even know that I have a bank account.

            Your ISP is paid for somehow. Probably a credit card, tied to a bank.

            The government ALREADY KNOWS you have a bank account! In fact, they probably already know how much is in it, and how much profit you made in your savings account, your trading account, etc.

            Neighbours on WiFi? What, you running an

        • You wouldn't need anonymity, but you may need to proxy for other reasons. Going on holiday, and the local government blocking your bank's site as an agent of western oppression?

        • My bank requires the removal of sunglasses before entering the bank, a policy I happily comply with. I take them off at the ATM, too, just to be polite.

  • by Anonymous Coward

    This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.

  • That's nothing (Score:5, Interesting)

    by Opportunist ( 166417 ) on Saturday December 06, 2014 @01:14PM (#48538757)

    A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.

    It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!

    24 millions? Pfffft, why're we even talking about chump change?

  • by itsme1234 ( 199680 ) on Saturday December 06, 2014 @01:24PM (#48538787)

    There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.

    If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.

    • It's not meant to be the strongest link in the chain. Just a link in the chain. If, every time someone connects in a suspicious way, you call their cell-phone to verify, or ask for an extra one-time password, or at the very least send them an email, then you can detect/prevent a lot of fraud. (This applies not only to Tor, but to any type of "unusual" connection, for example connecting from Russia five minutes after using a credit card in the U.S.)

  • Treasury dept wants to make sure that as much information as possible is gathered about when, where and how you make transactions involving your money at your banking institution. Why? Becasue you might be a naughty boy. I'll leave it to others to define "naughty".

  • is the internet is slowly splitting into anonymous and identifiable user connections. The security aspects aside, anon connections makes it much more difficult to track and collect user data for sale or to promote a site's products. As a result, I think we'll see more and more efforts to block anon connection as the real cost is in the lost revenue, not the amounts lost to criminal activities. If the losses due to theft and fraud become to large the banks will figure it out; right now my guess the cost of s
  • Sure, these attacks came over TOR. But blocking TOR would have done exactly nothing to prevent them, as attackers would the just have uses slightly more expensive hacked computers to carry out the attacks.

    • So, your advice is?
      • Blocking the apparent source IP's is useless it may even help the use better means. Flagging the transactions for further inspection without letting on to the source could be rather useful. A block just means the attacker moves to a different vector say routing through a botnet. Hell low tech and a router on a cantenna to a mcdonalds wifi half a mile away.

      • by suutar ( 1860506 )

        Fix the authentication system to prevent credential replay attacks, maybe? Two factor authentication? Client certificate validation? "We don't recognize the computer you're connecting from, so we're gonna send you a code in an SMS message or email", even.

    • Well ... I worked for a company who dealt with lots of PII (like, info on *every* person in the US). We put together a system to monitor what TOR nodes existed, and compared attacks to TOR nodes. It was significantly used as an attack vector, not only because of the anonymity, but because the attacker could change IPs frequently. Not a single legitimate user used TOR.

      We decided it was worth protecting our users, and the PII of everyone in the US, to refuse any traffic from TOR.

      Banks doing the same

  • Why all members of the tor network aren't forced to be exit nodes. Your traffic could then be sent to the public internet through a random exit node for every single tcp connection you make.
  • by RobinH ( 124750 ) on Saturday December 06, 2014 @02:34PM (#48539099) Homepage
    I setup a Raspberry Pi as a tor *relay* (not a tor exit node) just as a weekend project this year. Within a couple of days, we couldn't log into our bank (TD Canada Trust). I was able to log in by VPN'ing into my work PC. I took the tor relay offline, and within a couple of days I could log into my bank again from home. Both relays and exit node IPs are public knowledge, but I still think it's wrong to block relays.
  • $24 million sounds like a lot, but it is just a fraction of what was lost to hackers. Tor is an easy target, though, it will have little impact. It lets the country think something is being done, but it will have little impact. It's kind of like going after college kids for downloading songs and movies when in SE Asia, they are being duplicated by the truck load for resale.

    Tor just makes it hard to track who did it. Banks and financial institutions need to beef up their security regardless of tor or not.

  • by bswarm ( 2540294 ) on Saturday December 06, 2014 @03:36PM (#48539377)
    I found a $25 withdrawal from my Savings account showing up as "Check converted to an electronic transaction by the merchant" from a Kohls store. I don't shop at Kohls, and that account doesn't even have checks, so this was either an error entering the account number or a crook. Kohls wouldn't give me any information on this saying it wasn't available, escalating it higher only got me a "we'll get back to you" which never happened. The bank said there's nothing they can do to prevent this from happening again except to close the account and reopen it with a different account number. The bank refunded the $25, but I would never have noticed if I hadn't checked all the transactions on the statement. Long story short, anyone can enter a routing and account number and make purchases if they get a lucky number that works.
  • So has Tor been around 10 years yet? (honestly too lazy to look it up, but don't think so) I'm sure $2.4m a year is less money than gets stolen from chip and pin cards, this is blatant NSA anti-public-privacy nonesense. There is prob more money stolen from people digging out cash machines and dragging them off into the night.
  • Sometimes it is better to live with risk which at least offers some useful feedback.

    Going forward with a token reaction sure to be trivially countered in short order very likely will also carry side effect of reducing your ability to detect future fraudulent activity.

    If not Tor it will be a botnet if not a botnet it will come from some rinky dink VPS.

    Much better to invest in technological solutions to address root cause such as distribution of hardware keys less susceptible to electronic theft.

  • I have an agreement with my bank. If I present certain identifying information, they give me access to my accounts. Why would this change if I access their servers from another IP address?

Every program is a part of some other program, and rarely fits.

Working...