Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Treasury Dept: Banks Should Block Tor Nodes

Posted by Soulskill on from the cutting-down-the-orchard-to-get-rid-of-the-bad-apples dept.

tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.

4 of 84 comments (clear)

  1. Blocking Tor solves nothing by Anonymous Coward · · Score: 5, Insightful

    Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.

  2. $24 Million over a Decade by Anonymous Coward · · Score: 2, Insightful

    This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.

  3. Re:Missing info by suutar · · Score: 5, Insightful

    Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.

  4. Re:Craigslist already does this... by khchung · · Score: 3, Insightful

    I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...

    Simply because the banks are not responsible for the losses?

    The summary said "nearly $24 million in bank account takeovers by hackers", see? The banks simply pass the loss to their customers by calling it identity theft! Hey, you account has been taken over by hackers! Your loss.

    In countries where the banks themselves are responsible for these losses (they called these, rightly, fraud against the bank), you see banks taking measures to stop these thefts. In the US, the banks simply don't care.

    --
    Oliver.