US Treasury Dept: Banks Should Block Tor Nodes

tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.

Tor WWW

[The+New+Guy+2.0]

Tor is easily identifiable as "You came from Tor!" even when it tries to hide your identity. Small places can identify you as "My one user who uses Tor..." and large places can say "That's Tor... NO SOUP FOR YOU!". So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service.

Sounds stupid

Wouldn't it be a lot easier for criminals to have the transactions happen from the same PC they got the information from? I am of course assuming that the majority of these "cyber crimes" happened due to keyloggers and the like, thus if a criminal has a keylogger, he probably has enough control over the victims computer to simply do his criminal activity through their computer, making there be no suspicion whatsoever in the IP addresses.

Re:Sounds stupid

[alen]

if you were doing a withdrawl, wouldn't the bank know it's not a web browser if the criminal had some hidden command line code running trying to say transfer money via the bank website?

Re:Sounds stupid

[fustakrakich]

It sounds stupid because it is. Tor is just a 'proxy' for scapegoating anonymity. Crime is still done the old fashion way. In fact, a smart criminal would avoid Tor. Damn thing is just a honeypot anyway.

Re: Sounds stupid

There are a few ways around this, the easiest is to just run an anonymous proxy server on their computer (one that runs without a GUI so it's invisible) and then run your browser through that.

When I traveled I used to have a proxy server running at home so if I had to make it look like I was coming from home I could.

You could also run a VNC server on their computer and actually open a browser on their screen, you just have to check if their monitor is off first which is possible with the Windows API, you could also check if the screensaver is on and then pray that they are away from the terminal long enough to do what you need to do and then put the screensaver back on.

Probably the most common way though is to simply run a coded bot that would do this for you (the hacker) on the compromised computer, but you have to be really good at coding bots and make darn sure that you know which bank website is needed and what steps are required in proper sequence. Languages like Python or Perl make it very easy these days but then you may have to install a whole slew of libraries onto the target computer, it's best if you can get the bot into a single executable.

Back before TOR and even today the best hackers route through dozens (hundreds) of compromised computers before the target host. It's always possible to trace but if you run through countries with uncooperative governments it could take forever to track back to the attacker and if they were using a spoofed MAC address from some random Internet cafe in Buenos Aires, forget about it.

The only thing is, where would they transfer this money to or what would they buy? That's what requires the most clever thought process on the side of the attacker because accessing that money is the most traceable usually.

Initially, I worried

However, the advice does make sense. There is no legitimate reason to connect to a bank through TOR (the bank already knows who you are), and anon attacks are much easier to keep anon if they come from TOR.

Re:Initially, I worried

[gweihir]

Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

Re:Initially, I worried

I always use Tor when I'm on a Wifi, especially for connecting to a bank.
I trust my guards and pinned exit nodes more than whoever happens to be on the local wifi relay.

Re:Initially, I worried

Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

Says who?

Go and try to use your Credit Card in another country, in quick succession over a short period (say 24 hours) and then see how they may put a freeze on that card, and then require you to phone them up to unfreeze it and then get asked (quite rightly) a number of questions relating to where and when you made those transactions.

This is no different in effect.

I thank them for that frankly - I've had a few cases of my card being 'used' elsewhere after having travelled extensively for business in various countries overseas (in Europe mainly). Belive me, the banks will do anything to prevent liability to them, if you are going to anonymize or they are suspecting even a whiff of 'unusual' activity, they are going to stop you.

You are using their services, you have to abide by their terms. Don't like it? There's always your mattress.

Re:Initially, I worried

Don't like it? There's always your mattress

That's a dumb statement and you should feel dumb for it.
People keep using that as if it is an alternative... in reality, there is no alternative so whether you like it or not, you will comply citizen...

Re:Initially, I worried

[Aighearach]

I say my bank does have business knowing where I am accessing from. And indeed, it requires a second authentication factor if it doesn't identify my location. Blocking access from inside a known "darknet" seems like an obvious and prudent precaution to me. Anything involved in the security of account access is the literal business of both the bank and the client.

Re:Initially, I worried

[FatLittleMonkey]

A compromise would be to let customers indicate whether they want or need to use anonymiser services (wither TOR or conventional proxies). Much like customers who do/don't use their credit cards overseas. Very very few customers would choose this (or even understand the option), so it wouldn't reduce the protective effect compared to a blanket ban on TOR.

Re:Initially, I worried

[cold+fjord]

Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

That sort of information can be used as part of fraud detection.

Re:Initially, I worried

[Aighearach]

It also might have very little utility. In addition to few customers using TOR to connect to banking services, what is the account termination rate of those users? Is it higher than average? I would assume that it is not only above average, buy way above average. I'd go so far as to make a wild guess that if a user consistently uses TOR to connect to their bank, they have a less than 25% chance of that account still being open and in good standing in 2 years.

It is like porn and merchant accounts. It isn't that banks dislike porn, or that porn encourages fraud. It is just that, for whatever unknown and debatable reasons, that industry has a much higher rate of merchant accounts being closed for a wide variety of reasons. Whereas a restaurant can probably get a merchant account, even if the owner has weak or bad credit.

Also, I don't really want my bank to be so open and free about offering network access that they introduce new features that will have few users. That gives more chances for bugs to expose their other users. They should focus on providing secure core online banking services, not shoehorning every niche product idea into the interface.

Re:Initially, I worried

[gweihir]

And it can be used to identify whether you are a valuable customer or not so much. And it can be sold to others or gotten via NSL. Seriously, stop being dumb sheep.

Re:Initially, I worried

[cold+fjord]

I'm pretty sure the bank can identify "valuable customers" based on their existing accounts, don't you think? Why would that worry you, and how do you think an IP address would play into it? I'm pretty sure there is more value to the bank in preventing an incidence of fraud than the incredibly minute value of an IP address on the market, and who would legitimately buy it? For what purpose? That seems like nonense. Why does the NSL bother you? Up to no good?

The issue here is shady dealings, not sheep.

So the bad guys rent a botnet for proxying

Nothing gained

Re:So the bad guys rent a botnet for proxying

Most big hackers already do.

Blocking Tor people feel more secure, but that's about all it will do.

Re:Tor WWW

"So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service."

Wrong. Nothing prevents a Tor user from browsing through 1, 2, 3, or more web proxies which further prevents them from being spotted as a Tor user or a Tor user using just 1 proxy.

BrowserSpy has a nice proxy detection option. If you're going through Tor and then a web proxy, you can check proxy detection:

http://browserspy.dk/

No proxy is the best answer. Now you go find another web proxy, and another one and another one and just use them for a small window and never use them again. Mix it with loading a large website/image/download in the background.

Just don't do this with anything involving legal matters. Just if you're browsing say WalMart's site or something. ^_^

Blocking Tor solves nothing

Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.

Re: Blocking Tor solves nothing

Hear hear

Re:Blocking Tor solves nothing

[Ken_g6]

OK, then, don't block everything from TOR nodes. Better to go phishing for criminals. They should allow logins to be attempted, but then block the login from occurring (regardless of whether the password was valid). They should then alert users to login attempts from TOR, and potentially freeze their access until their passwords can be reset.

Re:Blocking Tor solves nothing

Why? Tor is not the problem.

Re:Blocking Tor solves nothing

[suutar]

How about just requiring (and supplying) two-factor authentication for TOR connections? Or even for all connections?

Re:Blocking Tor solves nothing

What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive.

This seems like a perfect place to use a botnet actually. Proxy through someone's virus infected PC (or other device). Then it looks just like a residential connection. Who cares that the bank traces the connection back. It's not like it's your own device. It's interesting that TOR is cheaper than the loss of a compromised device.

Re:Blocking Tor solves nothing

It depends on what the actual problem they are working toward 'solving'. This is a front for an attack on anonymity.

Re:Blocking Tor solves nothing

Blocking Tor makes it worse. When I am in an airport lounge, it is better to connect to my bank through Tor, vs directly through the NSA/GCHQ/RussianMafia malware infested WAP. There are many good and legitimate uses of Tor.

Missing info

The importance is not how many wrong/hacked/whatever amount of money came, but what is the percentage legit versus non elgit transaction. If the percentage was 10% (240 M$ per year Zx, 24M$ hacked) and you compare to the real world and , say 1T$, 3B$ hacked then it looks bad in comparison and there is a ground bank might think forbidding Tor. On the other hand if the % is reversed (% hacked/total) and there is more illegit Tx outside Tor then the discussion is not warranted. That info is missing. Without it nothing can be decided, except that the US governement does not like TOR maybe.

Re:Missing info

Furthermore, actually blocking Tor means that as the net evolves and there are more users of Tor the banks won't be able to recognize that the potential number of legit transactions has increased since they aren't permitting any. It becomes a sort of self-fulfilling prophecy - there are no legit Tor users because they won't accept any legit Tor users.

Re:Missing info

[dotancohen]

I came looking for this. I have a few good reasons for visiting my bank via Tor, and the truth is that I would leave the bank if Tor were blocked.

Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

Re:Missing info

[vux984]

I have a few good reasons for visiting my bank via Tor,

Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.

Re:Missing info

[suutar]

Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.

Re:Missing info

[dotancohen]

Exactly. The bank needs to know that I'm visiting. Nobody else does.

HTTPS ensures that I can trust that what I see came from the bank. Tor ensures that nobody other than the bank knows that I was there.

Re:Missing info

[dotancohen]

I have a few good reasons for visiting my bank via Tor,

Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

You are correct in asserting that the bank will know it's me. But nobody else needs to know that I've visited my bank. My ISP, government, and neighbours on wifi don't need to even know that I have a bank account.

Re:Missing info

[SuricouRaven]

You wouldn't need anonymity, but you may need to proxy for other reasons. Going on holiday, and the local government blocking your bank's site as an agent of western oppression?

Re:Missing info

I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

The very fact that they have all the info on file makes the stakes even higher. The law explicitly permits banks to share your information with their "business partners" where "business partners" are defined as anyone the bank does business with, so basically anyone they want.

I don't need my bank selling the connection between my ip address and all of my personal information to a company like BlueKai or the thousand other Big Data whorehouses out there.. And since it is completely legal for them to sell it, I can not trust that they won't sell it.

Re:Missing info

Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.

FBI wants law targeting hats, sunglasses in banks

Some of us wear prescription sunglasses, so that'd have to be addressed.

Captcha: privacy

Re:Missing info

[Aighearach]

My bank requires the removal of sunglasses before entering the bank, a policy I happily comply with. I take them off at the ATM, too, just to be polite.

Re:Missing info

[Aighearach]

It sounds like you should be using a VPN instead of a dark net with an exit gateway.

Re:Missing info

Tor is a simple and easy to use VPN. It has many legit uses. It is better to use Tor when sitting in Starbucks or an airport lounge connecting over the NSA/GCHQ/RussianMafia infested WAP.

Re:Missing info

[tlhIngan]

You are correct in asserting that the bank will know it's me. But nobody else needs to know that I've visited my bank. My ISP, government, and neighbours on wifi don't need to even know that I have a bank account.

Your ISP is paid for somehow. Probably a credit card, tied to a bank.

The government ALREADY KNOWS you have a bank account! In fact, they probably already know how much is in it, and how much profit you made in your savings account, your trading account, etc.

Neighbours on WiFi? What, you running an open wifi that your neighbours can use? If you're doing that and accessing the bank, you have bigger problems. WPA2 ensures that your neighbours can't see your traffic even if they're on the same network (each node gets a unique encryption key). But still... if you're letting your neighbours on your wifi, you should be hitting your bank over Ethernet.

Re:Missing info

Yes, it is important for the bank to verify identity.

For your question, imagine that the individual needed access to funds from within an unfriendly country while travelling under an alias. The bank knows who he is, but the country does not.

not just TOR: many anonymizer services blocked

Many web forums and social networking sites block anonymous connections from known anonymizer services like VPNs, not just TOR. That's usually because of abuse from people using those services.

But side effect is: the internet is slowly becoming less and less usable anonymously. Combine that with the "true name" push on many services and it is only a matter of time. We can see the direction now.

All access

Paraphrasing Phil Zimmerman about giving away PGP, it's hard to give privacy tools to the good guys without also giving it to the bad guys. For every journalist or protester we help, there's a scammer or malicious hacker that also has access.

$24 Million over a Decade

This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.

Stupid and Useless

Hackers can just as easily buy a VPS or a VPN service and make that their endpoint while still browsing via Tor.

That's what I have to do when I use Tor, since many websites (Google included) are fucking useless if you're connecting via Tor.

Our systems think you're a robot. Type solve these ten captchas before we deny your request anyway.
You've been banned for posting child porn. Your ban does not expire.
The owner of this website is using a DDoS protection service. Solve this captcha.

Etc.

I Use a VPN

I don't trust my bank not to sell my IP address & identity combo to the Big Data boys like BlueKai and Facebook.

I would use Tor to access my bank if I didn't already have a VPN to anonymize my web usage. I've already encountered some merchants that won't take my money if I place an order through the VPN - despite shipping to the billing address on my CC. Funny thing is that they never tell you up front, they only bounce the order after you've placed it which is really unfriendly.

If my bank started blocking anonymous access I would close my accounts with them - their job is to make my life better, not the reverse. As it is now my bank does insist on 2-factor authentication if I do come in through the VPN - they want to text an auth code to the cellphone that is already on file. I'm OK with that since I'm not disclosing anything to them that they don't already have.

That's nothing

[Opportunist]

A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.

It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!

24 millions? Pfffft, why're we even talking about chump change?

Re:That's nothing

$24M, hah, that's nothing, they LOSE more than that every year. This is just another censorship grab. Fight it.

Not a strong chain if the IP is the strongest link

[itsme1234]

There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.

If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.

Real reason

[Lawrence_Bird]

Treasury dept wants to make sure that as much information as possible is gathered about when, where and how you make transactions involving your money at your banking institution. Why? Becasue you might be a naughty boy. I'll leave it to others to define "naughty".

Re: Real reason

Which they obtain directly from the banks. No need for the feds to sniff the network for such things.

Re: Real reason

[Lawrence_Bird]

There are two elements here -

the more general: there is a good chance they can currently monitor your contact with your bank without the need to get a warrant for transactional information from the institution.

the less general: even if they are able to get transactional info, by using Tor you have made it difficult for them to determine your location.

Re:Real reason

May I interest you in this brand new foil hat, it contains the latest in though-blocking technology, only $99.99

Of more interets in TFA

[Registered+Coward+v2]

is the internet is slowly splitting into anonymous and identifiable user connections. The security aspects aside, anon connections makes it much more difficult to track and collect user data for sale or to promote a site's products. As a result, I think we'll see more and more efforts to block anon connection as the real cost is in the lost revenue, not the amounts lost to criminal activities. If the losses due to theft and fraud become to large the banks will figure it out; right now my guess the cost of solving the problem is great rattan the losses so there is no strong incentive to fix it.

This is of course complete nonsense

[gweihir]

Sure, these attacks came over TOR. But blocking TOR would have done exactly nothing to prevent them, as attackers would the just have uses slightly more expensive hacked computers to carry out the attacks.

Re:This is of course complete nonsense

[Stan92057]

So, your advice is?

Re:This is of course complete nonsense

Find the root of the problem instead of banning one possible tool that some criminals happen to use nowadays ?
You know, doing actual work instead of a knee-jerk reaction ?

Re:This is of course complete nonsense

[silas_moeckel]

Blocking the apparent source IP's is useless it may even help the use better means. Flagging the transactions for further inspection without letting on to the source could be rather useful. A block just means the attacker moves to a different vector say routing through a botnet. Hell low tech and a router on a cantenna to a mcdonalds wifi half a mile away.

Re:This is of course complete nonsense

[suutar]

Fix the authentication system to prevent credential replay attacks, maybe? Two factor authentication? Client certificate validation? "We don't recognize the computer you're connecting from, so we're gonna send you a code in an SMS message or email", even.

Re:This is of course complete nonsense

[JWSmythe]

Well ... I worked for a company who dealt with lots of PII (like, info on *every* person in the US). We put together a system to monitor what TOR nodes existed, and compared attacks to TOR nodes. It was significantly used as an attack vector, not only because of the anonymity, but because the attacker could change IPs frequently. Not a single legitimate user used TOR.

We decided it was worth protecting our users, and the PII of everyone in the US, to refuse any traffic from TOR.

Banks doing the same thing does seem like it's in the best interest of the customers.

If you are a legitimate user, and some 3rd party logs into your account and transfers money out, would you prefer the bank to say "Sorry, it was some random person, and we have no way to find or prosecute them. They will likely do it again." or "The intruder was found and prosecuted."

Depending on the theft, you may or may not get your funds back. If someone goes in and transfers funds as you, some banks aren't willing to refund the transaction. Transfers aren't handled like credit card transactions, which are easily refunded.

Even if your bank does give you the stolen money back, that means they've absorbed the cost. So your loss ($1 or $1M) and refund, is now added to the fees, because the bank's operating expenses are higher.

I'd prefer the "inconvenience" of not being allowed to use TOR and other anonymous relays, and not have the bank have a huge and expensive fee schedule to make up for losses that are impossible to recoup from the thieves.

Re: Not a strong chain if the IP is the strongest

Hear hear!

Re:Not a strong chain if the IP is the strongest l

Exactly. Banning Tor is the dumbest thing I ever heard of.
If they, and their account holders, want real security, issue them one time password keyfob tokens, or use TOTP authentication.
(Yes, my bank address is my pobox, phone number is bogus, and they don't have my email and i use a foreign vpn. So don't give me this privacy destroying phone auth idea you idiots.)

I've always wondered

[tom229]

Why all members of the tor network aren't forced to be exit nodes. Your traffic could then be sent to the public internet through a random exit node for every single tcp connection you make.

Re:I've always wondered

That wouldn't be usefull for the network.
Many users have a limited upload or live in regions of the world where access to the clearweb is censored/dangerous (Whoops! The government's at your door because someone googled/said the wrong thing from your IP!)

Re:I've always wondered

Not to mention it was originally conceived as a way for the CIA to communicate with people in the field. Not exactly great for your operatives if they connect to communicate and as a result their system starts being the apparent source of some heavy duty porn browsing.

It's also about choice, running an exit node isn't something you should do lightly (as much as the network could do with more) as your Govt may decide to try and hold you liable for any traffic that originates from you.

thwarting criminal activity

If it is about thwarting criminal activity, a more better case could be made that the Tor network should be blocking all banking IP addresses.
In fact, all ISP's should be blocking banking IP addresses in that case.

Already doing it some places

[RobinH]

I setup a Raspberry Pi as a tor *relay* (not a tor exit node) just as a weekend project this year. Within a couple of days, we couldn't log into our bank (TD Canada Trust). I was able to log in by VPN'ing into my work PC. I took the tor relay offline, and within a couple of days I could log into my bank again from home. Both relays and exit node IPs are public knowledge, but I still think it's wrong to block relays.

Re:Already doing it some places

I had this same experience, of TD blocking my IP after running a relay. When it would happen (about once a week), I'd just reboot my DSL modem to get a new IP from my ISP. I even scripted it to automatically happen when the TD block was detected. Who knows how many dynamic IPs that ISP now has which TD blocks. I feel a bit bad about possibly inconveniencing clueless inheritors of the IPs, but I was more annoyed with TD and their seemingly idoitic network security policities at the time.

$24 million out of how much?

[Dcnjoe60]

$24 million sounds like a lot, but it is just a fraction of what was lost to hackers. Tor is an easy target, though, it will have little impact. It lets the country think something is being done, but it will have little impact. It's kind of like going after college kids for downloading songs and movies when in SE Asia, they are being duplicated by the truck load for resale.

Tor just makes it hard to track who did it. Banks and financial institutions need to beef up their security regardless of tor or not.

Re:Not a strong chain if the IP is the strongest l

[Sqr(twg)]

It's not meant to be the strongest link in the chain. Just a link in the chain. If, every time someone connects in a suspicious way, you call their cell-phone to verify, or ask for an extra one-time password, or at the very least send them an email, then you can detect/prevent a lot of fraud. (This applies not only to Tor, but to any type of "unusual" connection, for example connecting from Russia five minutes after using a credit card in the U.S.)

Banking is so insecure...

[bswarm]

I found a $25 withdrawal from my Savings account showing up as "Check converted to an electronic transaction by the merchant" from a Kohls store. I don't shop at Kohls, and that account doesn't even have checks, so this was either an error entering the account number or a crook. Kohls wouldn't give me any information on this saying it wasn't available, escalating it higher only got me a "we'll get back to you" which never happened. The bank said there's nothing they can do to prevent this from happening again except to close the account and reopen it with a different account number. The bank refunded the $25, but I would never have noticed if I hadn't checked all the transactions on the statement. Long story short, anyone can enter a routing and account number and make purchases if they get a lucky number that works.

Re:Banking is so insecure...

>>>Long story short, anyone can enter a routing and account number and make purchases if they get a lucky number that works.

Not entirely true.

Most commercial banking services include services such as positive pay and ACH debit block which would have prevented the improper transaction on your savings account.

However, most individuals or households don't know about them and/or won't pony up the cash for them.

That said, your real problem is that your bank cleared a check against a savings account (wtf?) and basically shrugged when you asked for help.

For your safety we have blocked... everything.

Our source further explained:

We only have your security in mind. All funds are are fully protected once deposited.

Account access through phone or internet will be disabled to protect against Identity Thieves and Hackers. Cheques will not be honored due to risk of counterfeit or check washing.

$24m over 10 years, so what?

[moonlandingchap]

So has Tor been around 10 years yet? (honestly too lazy to look it up, but don't think so) I'm sure $2.4m a year is less money than gets stolen from chip and pin cards, this is blatant NSA anti-public-privacy nonesense. There is prob more money stolen from people digging out cash machines and dragging them off into the night.

Re:$24m over 10 years, so what?

[moonlandingchap]

err yeah Tor started in 2002. my bad. still it's tiny money and nothing to worry about.

Number of players 0

[WaffleMonster]

Sometimes it is better to live with risk which at least offers some useful feedback.

Going forward with a token reaction sure to be trivially countered in short order very likely will also carry side effect of reducing your ability to detect future fraudulent activity.

If not Tor it will be a botnet if not a botnet it will come from some rinky dink VPS.

Much better to invest in technological solutions to address root cause such as distribution of hardware keys less susceptible to electronic theft.

Craigslist already does this...

[BUL2294]

I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...

Re:Craigslist already does this...

[khchung]

I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...

Simply because the banks are not responsible for the losses?

The summary said "nearly $24 million in bank account takeovers by hackers", see? The banks simply pass the loss to their customers by calling it identity theft! Hey, you account has been taken over by hackers! Your loss.

In countries where the banks themselves are responsible for these losses (they called these, rightly, fraud against the bank), you see banks taking measures to stop these thefts. In the US, the banks simply don't care.

Nonsense

First actually have an explicit policy that says not to do this. Then do not block this. That way, the first time someone does this, you can go right up and say don't do this. Any other tor like connections from non human connections can now be checked out.

It seems to me most of the incursions start from the customer end, and end with lateral expansion into the banking environment.

Re:Treasury ZIRP TBTF

Mod up for "insight"!

Iyam who Iyam, regardless of IP

[swell]

I have an agreement with my bank. If I present certain identifying information, they give me access to my accounts. Why would this change if I access their servers from another IP address?

WOW

24 ... Whole, whole million!? Over 10 years even. So we could have prevented 2.4 million a year in loss? I think the cost of compliance for the whole country would be higher...

http://www.forbes.com/sites/haydnshaughnessy/2011/03/24/solving-the-190-billion-annual-fraud-scam-more-on-jumio/

Bn, is that larger than Mn?