Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Treasury Dept: Banks Should Block Tor Nodes

Posted by Soulskill on from the cutting-down-the-orchard-to-get-rid-of-the-bad-apples dept.

tsu doh nimh writes: A new report from the U.S. Treasury Department found that nearly $24 million in bank account takeovers by hackers (and other cyber theft over the past decade) might have been thwarted had affected institutions known to look for and block transactions coming through the Tor anonymity network. Brian Krebs cites from the non-public report, which relied on an analysis of suspicious activity reports filed by banks over the past decade: "Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor-related filings were rapidly rising. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses." Meanwhile, the Tor Project continues to ask for assistance in adapting the technology to an Internet that is increasingly blocking users who visit from Tor.

6 of 84 comments (clear)

  1. Blocking Tor solves nothing by Anonymous Coward · · Score: 5, Insightful

    Blocking Tor doesn't address the actual problem, which is that the banks' authentication and authorization mechanisms are failing. What's more, it's highly likely that the criminals described here are only using Tor because it provides decent anonymity with low cost/effort. If Tor is blocked, they'll almost certainly just move to some other proxy setup that's modestly more expensive. Heck, as far as I know, nothing really stops anyone from setting up their own members-only Tor network (the project doesn't promote this, presumably because the benefits of the network scale with its size). This is just one facet of a broader problem that's only going to get worse as more IP addresses accumulate "bad reputations" while being continually recycled by cloud providers, mobile carrier networks, and others.

  2. Missing info by Anonymous Coward · · Score: 5, Interesting

    The importance is not how many wrong/hacked/whatever amount of money came, but what is the percentage legit versus non elgit transaction. If the percentage was 10% (240 M$ per year Zx, 24M$ hacked) and you compare to the real world and , say 1T$, 3B$ hacked then it looks bad in comparison and there is a ground bank might think forbidding Tor. On the other hand if the % is reversed (% hacked/total) and there is more illegit Tx outside Tor then the discussion is not warranted. That info is missing. Without it nothing can be decided, except that the US governement does not like TOR maybe.

    1. Re:Missing info by vux984 · · Score: 4, Interesting

      I have a few good reasons for visiting my bank via Tor,

      Such as? I'm genuinely curious why you would need anonymity to connect to a bank, whereupon you would immediately log into an account that has your name, address, phone number, and probably even your SSN and a copy of your signature on file.

      Blocking Tor is akin to saying "many robberies were performed by blacks, so we will no longer allow blacks into the bank".

      Its more like blocking Tor is akin to saying "many robberies" were performed by people wearing a disguise, so we will no longer allow people wearing disguises into the bank.

    2. Re:Missing info by suutar · · Score: 5, Insightful

      Personally, I don't mind the bank knowing I accessed my account. Comcast, however, has no need to know that. Nor does Level3. Nor, unless they have reasonable suspicion, does the government (although I am well aware that the bank will hand over the records in a heartbeat). So the question is, do I care enough about whether they know to put effort into keeping them from knowing? For some people, the answer will be yes. For you, perhaps not.

  3. That's nothing by Opportunist · · Score: 4, Interesting

    A few BILLIONS of taxpayer money could have been saved from being squandered if we had installed a banking supervision deserving that name. At least AFTER the bailout we should have.

    It's just plain idiotic if not outright dangerous to show them that we'll not only foot the bill if their high stakes gambling doesn't work out but also take no precaution whatsoever to keep them from repeating it!

    24 millions? Pfffft, why're we even talking about chump change?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Not a strong chain if the IP is the strongest link by itsme1234 · · Score: 4, Interesting

    There are dozens and dozens of anonymous VPNs available, plus starbucks, McD and so on free wifi, etc.

    If the strongest link in the chain the identify of the "last hop" connecting to the web server they're seriously screwd.