Slashdot Mirror
US Treasury Dept: Banks Should Block Tor Nodes
tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.
However, the advice does make sense. There is no legitimate reason to connect to a bank through TOR (the bank already knows who you are), and anon attacks are much easier to keep anon if they come from TOR.
if you were doing a withdrawl, wouldn't the bank know it's not a web browser if the criminal had some hidden command line code running trying to say transfer money via the bank website?
"So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service."
Wrong. Nothing prevents a Tor user from browsing through 1, 2, 3, or more web proxies which further prevents them from being spotted as a Tor user or a Tor user using just 1 proxy.
BrowserSpy has a nice proxy detection option. If you're going through Tor and then a web proxy, you can check proxy detection:
http://browserspy.dk/
No proxy is the best answer. Now you go find another web proxy, and another one and another one and just use them for a small window and never use them again. Mix it with loading a large website/image/download in the background.
Just don't do this with anything involving legal matters. Just if you're browsing say WalMart's site or something. ^_^
Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.
The importance is not how many wrong/hacked/whatever amount of money came, but what is the percentage legit versus non elgit transaction. If the percentage was 10% (240 M$ per year Zx, 24M$ hacked) and you compare to the real world and , say 1T$, 3B$ hacked then it looks bad in comparison and there is a ground bank might think forbidding Tor. On the other hand if the % is reversed (% hacked/total) and there is more illegit Tx outside Tor then the discussion is not warranted. That info is missing. Without it nothing can be decided, except that the US governement does not like TOR maybe.
It sounds stupid because it is. Tor is just a 'proxy' for scapegoating anonymity. Crime is still done the old fashion way. In fact, a smart criminal would avoid Tor. Damn thing is just a honeypot anyway.
“He’s not deformed, he’s just drunk!”
Most big hackers already do.
Blocking Tor people feel more secure, but that's about all it will do.
This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.
There are a few ways around this, the easiest is to just run an anonymous proxy server on their computer (one that runs without a GUI so it's invisible) and then run your browser through that.
When I traveled I used to have a proxy server running at home so if I had to make it look like I was coming from home I could.
You could also run a VNC server on their computer and actually open a browser on their screen, you just have to check if their monitor is off first which is possible with the Windows API, you could also check if the screensaver is on and then pray that they are away from the terminal long enough to do what you need to do and then put the screensaver back on.
Probably the most common way though is to simply run a coded bot that would do this for you (the hacker) on the compromised computer, but you have to be really good at coding bots and make darn sure that you know which bank website is needed and what steps are required in proper sequence. Languages like Python or Perl make it very easy these days but then you may have to install a whole slew of libraries onto the target computer, it's best if you can get the bot into a single executable.
Back before TOR and even today the best hackers route through dozens (hundreds) of compromised computers before the target host. It's always possible to trace but if you run through countries with uncooperative governments it could take forever to track back to the attacker and if they were using a spoofed MAC address from some random Internet cafe in Buenos Aires, forget about it.
The only thing is, where would they transfer this money to or what would they buy? That's what requires the most clever thought process on the side of the attacker because accessing that money is the most traceable usually.
A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.
It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!
24 millions? Pfffft, why're we even talking about chump change?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.
If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.
Treasury dept wants to make sure that as much information as possible is gathered about when, where and how you make transactions involving your money at your banking institution. Why? Becasue you might be a naughty boy. I'll leave it to others to define "naughty".
is the internet is slowly splitting into anonymous and identifiable user connections. The security aspects aside, anon connections makes it much more difficult to track and collect user data for sale or to promote a site's products. As a result, I think we'll see more and more efforts to block anon connection as the real cost is in the lost revenue, not the amounts lost to criminal activities. If the losses due to theft and fraud become to large the banks will figure it out; right now my guess the cost of solving the problem is great rattan the losses so there is no strong incentive to fix it.
I'm a consultant - I convert gibberish into cash-flow.
Sure, these attacks came over TOR. But blocking TOR would have done exactly nothing to prevent them, as attackers would the just have uses slightly more expensive hacked computers to carry out the attacks.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Why all members of the tor network aren't forced to be exit nodes. Your traffic could then be sent to the public internet through a random exit node for every single tcp connection you make.
If it ain't broke, don't fix it.
I setup a Raspberry Pi as a tor *relay* (not a tor exit node) just as a weekend project this year. Within a couple of days, we couldn't log into our bank (TD Canada Trust). I was able to log in by VPN'ing into my work PC. I took the tor relay offline, and within a couple of days I could log into my bank again from home. Both relays and exit node IPs are public knowledge, but I still think it's wrong to block relays.
"I have never let my schooling interfere with my education." - Mark Twain
$24 million sounds like a lot, but it is just a fraction of what was lost to hackers. Tor is an easy target, though, it will have little impact. It lets the country think something is being done, but it will have little impact. It's kind of like going after college kids for downloading songs and movies when in SE Asia, they are being duplicated by the truck load for resale.
Tor just makes it hard to track who did it. Banks and financial institutions need to beef up their security regardless of tor or not.
It's not meant to be the strongest link in the chain. Just a link in the chain. If, every time someone connects in a suspicious way, you call their cell-phone to verify, or ask for an extra one-time password, or at the very least send them an email, then you can detect/prevent a lot of fraud. (This applies not only to Tor, but to any type of "unusual" connection, for example connecting from Russia five minutes after using a credit card in the U.S.)
I found a $25 withdrawal from my Savings account showing up as "Check converted to an electronic transaction by the merchant" from a Kohls store. I don't shop at Kohls, and that account doesn't even have checks, so this was either an error entering the account number or a crook. Kohls wouldn't give me any information on this saying it wasn't available, escalating it higher only got me a "we'll get back to you" which never happened. The bank said there's nothing they can do to prevent this from happening again except to close the account and reopen it with a different account number. The bank refunded the $25, but I would never have noticed if I hadn't checked all the transactions on the statement. Long story short, anyone can enter a routing and account number and make purchases if they get a lucky number that works.
So has Tor been around 10 years yet? (honestly too lazy to look it up, but don't think so) I'm sure $2.4m a year is less money than gets stolen from chip and pin cards, this is blatant NSA anti-public-privacy nonesense. There is prob more money stolen from people digging out cash machines and dragging them off into the night.
Sometimes it is better to live with risk which at least offers some useful feedback.
Going forward with a token reaction sure to be trivially countered in short order very likely will also carry side effect of reducing your ability to detect future fraudulent activity.
If not Tor it will be a botnet if not a botnet it will come from some rinky dink VPS.
Much better to invest in technological solutions to address root cause such as distribution of hardware keys less susceptible to electronic theft.
I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
I have an agreement with my bank. If I present certain identifying information, they give me access to my accounts. Why would this change if I access their servers from another IP address?
...omphaloskepsis often...