Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Treasury Dept: Banks Should Block Tor Nodes

Posted by Soulskill on from the cutting-down-the-orchard-to-get-rid-of-the-bad-apples dept.

tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.

14 of 84 comments (clear)

  1. Re:Tor WWW by Anonymous Coward · · Score: 2, Informative

    "So Tor has always had that problem, your messages travel the Internet, but the WWW refuses to give you service."

    Wrong. Nothing prevents a Tor user from browsing through 1, 2, 3, or more web proxies which further prevents them from being spotted as a Tor user or a Tor user using just 1 proxy.

    BrowserSpy has a nice proxy detection option. If you're going through Tor and then a web proxy, you can check proxy detection:

    http://browserspy.dk/

    No proxy is the best answer. Now you go find another web proxy, and another one and another one and just use them for a small window and never use them again. Mix it with loading a large website/image/download in the background.

    Just don't do this with anything involving legal matters. Just if you're browsing say WalMart's site or something. ^_^

  2. Blocking Tor solves nothing by Anonymous Coward · · Score: 5, Insightful

    Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.

  3. Missing info by Anonymous Coward · · Score: 5, Interesting

    The importance is not how many wrong/hacked/whatever amount of money came, but what is the percentage legit versus non elgit transaction. If the percentage was 10% (240 M$ per year Zx, 24M$ hacked) and you compare to the real world and , say 1T$, 3B$ hacked then it looks bad in comparison and there is a ground bank might think forbidding Tor. On the other hand if the % is reversed (% hacked/total) and there is more illegit Tx outside Tor then the discussion is not warranted. That info is missing. Without it nothing can be decided, except that the US governement does not like TOR maybe.

    1. Re:Missing info by vux984 · · Score: 4, Interesting

      I have a few good reasons for visiting my bank via Tor,

      Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

      Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

      Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.

    2. Re:Missing info by suutar · · Score: 5, Insightful

      Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.

  4. $24 Million over a Decade by Anonymous Coward · · Score: 2, Insightful

    This is a completely insignificant amount. It is probably less than restaurant tips for the banking industry over a year.

  5. Re: Sounds stupid by Anonymous Coward · · Score: 2, Informative

    There are a few ways around this, the easiest is to just run an anonymous proxy server on their computer (one that runs without a GUI so it's invisible) and then run your browser through that.

    When I traveled I used to have a proxy server running at home so if I had to make it look like I was coming from home I could.

    You could also run a VNC server on their computer and actually open a browser on their screen, you just have to check if their monitor is off first which is possible with the Windows API, you could also check if the screensaver is on and then pray that they are away from the terminal long enough to do what you need to do and then put the screensaver back on.

    Probably the most common way though is to simply run a coded bot that would do this for you (the hacker) on the compromised computer, but you have to be really good at coding bots and make darn sure that you know which bank website is needed and what steps are required in proper sequence. Languages like Python or Perl make it very easy these days but then you may have to install a whole slew of libraries onto the target computer, it's best if you can get the bot into a single executable.

    Back before TOR and even today the best hackers route through dozens (hundreds) of compromised computers before the target host. It's always possible to trace but if you run through countries with uncooperative governments it could take forever to track back to the attacker and if they were using a spoofed MAC address from some random Internet cafe in Buenos Aires, forget about it.

    The only thing is, where would they transfer this money to or what would they buy? That's what requires the most clever thought process on the side of the attacker because accessing that money is the most traceable usually.

  6. That's nothing by Opportunist · · Score: 4, Interesting

    A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.

    It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!

    24 millions? Pfffft, why're we even talking about chump change?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Not a strong chain if the IP is the strongest link by itsme1234 · · Score: 4, Interesting

    There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.

    If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.

  8. Already doing it some places by RobinH · · Score: 2

    I setup a Raspberry Pi as a tor *relay* (not a tor exit node) just as a weekend project this year. Within a couple of days, we couldn't log into our bank (TD Canada Trust). I was able to log in by VPN'ing into my work PC. I took the tor relay offline, and within a couple of days I could log into my bank again from home. Both relays and exit node IPs are public knowledge, but I still think it's wrong to block relays.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
  9. Re:Initially, I worried by Anonymous Coward · · Score: 2, Informative

    Fail. The bank does not know where you are accessing their services from and it has no business knowing that info.

    Says who?

    Go and try to use your Credit Card in another country, in quick succession over a short period (say 24 hours) and then see how they may put a freeze on that card, and then require you to phone them up to unfreeze it and then get asked (quite rightly) a number of questions relating to where and when you made those transactions.

    This is no different in effect.

    I thank them for that frankly - I've had a few cases of my card being 'used' elsewhere after having travelled extensively for business in various countries overseas (in Europe mainly). Belive me, the banks will do anything to prevent liability to them, if you are going to anonymize or they are suspecting even a whiff of 'unusual' activity, they are going to stop you.

    You are using their services, you have to abide by their terms. Don't like it? There's always your mattress.

  10. Banking is so insecure... by bswarm · · Score: 3, Interesting

    I found a $25 withdrawal from my Savings account showing up as "Check converted to an electronic transaction by the merchant" from a Kohls store. I don't shop at Kohls, and that account doesn't even have checks, so this was either an error entering the account number or a crook. Kohls wouldn't give me any information on this saying it wasn't available, escalating it higher only got me a "we'll get back to you" which never happened. The bank said there's nothing they can do to prevent this from happening again except to close the account and reopen it with a different account number. The bank refunded the $25, but I would never have noticed if I hadn't checked all the transactions on the statement. Long story short, anyone can enter a routing and account number and make purchases if they get a lucky number that works.

  11. Re:This is of course complete nonsense by JWSmythe · · Score: 2

    Well ... I worked for a company who dealt with lots of PII (like, info on *every* person in the US). We put together a system to monitor what TOR nodes existed, and compared attacks to TOR nodes. It was significantly used as an attack vector, not only because of the anonymity, but because the attacker could change IPs frequently. Not a single legitimate user used TOR.

    We decided it was worth protecting our users, and the PII of everyone in the US, to refuse any traffic from TOR.

    Banks doing the same thing does seem like it's in the best interest of the customers.

    If you are a legitimate user, and some 3rd party logs into your account and transfers money out, would you prefer the bank to say "Sorry, it was some random person, and we have no way to find or prosecute them. They will likely do it again." or "The intruder was found and prosecuted."

    Depending on the theft, you may or may not get your funds back. If someone goes in and transfers funds as you, some banks aren't willing to refund the transaction. Transfers aren't handled like credit card transactions, which are easily refunded.

    Even if your bank does give you the stolen money back, that means they've absorbed the cost. So your loss ($1 or $1M) and refund, is now added to the fees, because the bank's operating expenses are higher.

    I'd prefer the "inconvenience" of not being allowed to use TOR and other anonymous relays, and not have the bank have a huge and expensive fee schedule to make up for losses that are impossible to recoup from the thieves.

    --
    Serious? Seriousness is well above my pay grade.
  12. Re:Craigslist already does this... by khchung · · Score: 3, Insightful

    I'm not sure why banks don't, but Craigslist already blocks almost all Tor nodes--despite its comparatively meager resources (vs. banks')...

    Simply because the banks are not responsible for the losses?

    The summary said "nearly $24 million in bank account takeovers by hackers", see? The banks simply pass the loss to their customers by calling it identity theft! Hey, you account has been taken over by hackers! Your loss.

    In countries where the banks themselves are responsible for these losses (they called these, rightly, fraud against the bank), you see banks taking measures to stop these thefts. In the US, the banks simply don't care.

    --
    Oliver.