Third Party Trackers On Web Shops Can Identify Users Behind Bitcoin Transactions (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Third Party Trackers On Web Shops Can Identify Users Behind Bitcoin Transactions (helpnetsecurity.com)

Posted by BeauHD on Monday August 21, 2017 @12:20PM from the breadcrumbs-trail dept.

An anonymous reader quotes a report from Help Net Security: More and more shopping websites accept cryptocurrencies as a method of payment, but users should be aware that these transactions can be used to deanonymize them -- even if they are using blockchain anonymity techniques such as CoinJoin. Independent researcher Dillon Reisman and Steven Goldfeder, Harry Kalodner and Arvind Narayanan from Princeton University have demonstrated that third-party online tracking provides enough information to identify a transaction on the blockchain, link it to the user's cookie and, ultimately, to the user's real identity. "Based on tracking cookies, the transaction can be linked to the user's activities across the web. And based on well-known Bitcoin address clustering techniques, it can be linked to their other Bitcoin transactions," they noted. "We show that a small amount of additional information, namely that two (or more) transactions were made by the same entity, is sufficient to undo the effect of mixing. While such auxiliary information is available to many potential entities -- merchants, other counterparties such as websites that accept donations, intermediaries such as payment processors, and potentially network eavesdroppers -- web trackers are in the ideal position to carry out this attack," they pointed out.

63 comments

Min score:

Reason:

Sort:

Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 12:27 · Score: 3, Informative

The only benefit of Bitcoin is that it's a pyramid scheme.
1. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 14:58 · Score: 0
  
  ... You really have no idea that bitcoin operates on a scaling difficulty.. do you?
2. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 15:04 · Score: 0
  
  Bitcoin has another benefit to the Chinese government that they can trivially 51% attack it any time they feel like it.
3. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 16:22 · Score: 0
  
  You really have no idea that bitcoin has a finite limit, do you?
4. Re: Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 18:06 · Score: 0
  
  Moore's Law is ending. Returns are smaller than they ever have been.
5. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-21 20:42 · Score: 0
  
  That doesnt make it valueless. On the contrary. Look at gold or diamonds. It is finite as well (and diamonds are even a huge scam). Value is set by market.
6. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-22 03:56 · Score: 0
  
  Sell all your Bitcoin and buy Dash instead if you want anonymity.
7. Re:Bitcoin = least secure transaction of all by JcMorin · 2017-08-22 05:54 · Score: 1
  
  Bitcoin does not have an issue with the protocol. I can't forge a transaction that will seal your balance like you could with a check. The "fraud" we see is more like, if I hack your computer or your phone, I can use that to sign a valid transaction without your consent... it's more a security issue than a protocol problem. The transactions are very secure, there are millions/billions moving every day.
8. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-22 06:41 · Score: 0
  
  It's value is set by usefulness. If the worlds population was 1 Trillion, how much use would the limited number of bitcoins be?
9. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-22 06:54 · Score: 0
  
  It's centralized. Which means government goons can walk in, make some threats and get what they want.
  it needs to be...
  1. Decentralized.
  2. Pier to Pier
  3. Fully encrypted.
  4. Designed to expand with the economy.
  5. Fully anonymous if one desires.
10. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-22 08:12 · Score: 0
  
  Sell all your Bitcoin and buy Monero instead if you want anonymity.
11. Re:Bitcoin = least secure transaction of all by Anonymous Coward · 2017-08-22 10:18 · Score: 0
  
  Likely more so than Diamonds, since they have zero value to most individuals as well.
  Think of another argument, that one didn't work.
Shipping Address? by Anonymous Coward · 2017-08-21 12:32 · Score: 5, Informative

And they've really got you when you enter your name and shipping address.
1. Re:Shipping Address? by Anonymous Coward · 2017-08-21 12:39 · Score: 3, Funny
  
  That's why I have all my deliveries sent to my neighbor and then I burglarize their house as soon as I get the delivery notification.
2. Re:Shipping Address? by sthomas · 2017-08-21 12:53 · Score: 3, Funny
  
  YOU get the notification?!? GOTCHA!!
3. Re:Shipping Address? by ChatHuant · 2017-08-21 16:23 · Score: 1
  
  YOU get the notification?!? GOTCHA!!
  Well, obviously, he also intercepts the neighbor's e-mail - I mean, doesn't everybody?
4. Re:Shipping Address? by Anubis+IV · 2017-08-23 04:23 · Score: 1
  
  There seems to be this common misconception among the general population that Bitcoin is anonymous in the same way that cash is. What people don't realize is that it's pseudonymous, not anonymous, and that if you allow the veil to be lifted for even one transaction, legal or otherwise, then every transaction you make, legal or otherwise, can be traced back to you. Oh, and everyone's entire history of transactions is publicly accessible too, so if your pseudonym is pierced, anyone and everyone can see who you've done business with.
  At least with credit cards that data is only in the hands of the credit card processors and the people willing to pay them for that info. It's not a good situation by any means, but I'll take it over Bitcoin.
What idiot doesn't block/erase cookies by Anonymous Coward · 2017-08-21 12:45 · Score: 0

If you care about anonymity, one of the first things you do is find a way to deal with cookies.
There are a lot of nice extensions that auto-delete when you leave a page. Not hard to install at all.
1. Re:What idiot doesn't block/erase cookies by Anonymous Coward · 2017-08-21 14:44 · Score: 0
  
  The problem is the other people who don't care/know how to be anonymous. How much do you want to bet that someone has or will come up with a way to figure out who you are just by figuring out where the bitcoin you're paying with came from in the blockchain before you or where it's going after you. I don't need to see the whole picture to be able to guess what it is, if I have enough data points. If the guy before you was a retard, and the guy after you is a retard, you're made.
2. Re: What idiot doesn't block/erase cookies by Anonymous Coward · 2017-08-21 23:31 · Score: 0
  
  It is about trackers and browser fingerprinting. Pretty old technology. Solution is to use a browser like Brave which can block ads and tracker.
Anonymous or not by freeze128 · 2017-08-21 12:45 · Score: 1

Unless you're buying illicit drugs or something, who cares? And if you are, shame on you! You should have been more discreet.
1. Re:Anonymous or not by Angst+Badger · 2017-08-21 13:38 · Score: 3, Insightful
  
  Or you're resisting a totalitarian regime that might put you in prison or a labor camp for purchasing an unapproved ebook.
  
  --
  Proud member of the Weirdo-American community.
2. Re: Anonymous or not by Anonymous Coward · 2017-08-21 18:09 · Score: 0
  
  And which ebook is currently hated enough to censor it? It's for a friend.
3. Re: Anonymous or not by Wootery · 2017-08-21 20:32 · Score: 1
  
  You're really going to try to deny the existence of totalitarian regimes, rather than concede the point? Classy.
4. Re:Anonymous or not by Anonymous Coward · 2017-08-21 23:37 · Score: 0
  
  Or you were born before or close to the WWII period and have a deeply ingrained hatred for Nazi fascism. We absolutely despise government snooping on honest citizens.
5. Re:Anonymous or not by gurps_npc · 2017-08-22 04:35 · Score: 1
  
  Let's see who cares:
  1) Gay people in countries where homosexuality is not protected.
  2) Anyone in a totalitarian government - even if you are a supporter, they can't be trusted.
  3) Pregnant teenagers that are terrified of their parents finding out (which they do when the web browser starts showing ads for diapers), before they decide what to do.
  4) Any one that doesn't like being teased, laughed at or insulted.
  Basically, privacy is an essential right, more important than the right to bear arms or the right for you to go around being self-righteous and judging everyone else
  
  --
  excitingthingstodo.blogspot.com
6. Re:Anonymous or not by Anonymous Coward · 2017-08-22 04:51 · Score: 0
  
  Or you're resisting a totalitarian regime that might put you in prison or a labor camp for purchasing an unapproved ebook.
  If you're already risking retaliation by the government for reading the ebook why the hell would you pay for it instead of pirating it?
7. Re:Anonymous or not by Anonymous Coward · 2017-08-22 07:04 · Score: 0
  
  Today it's illicit drugs they buy. Tomorrow it's black market clothing, and music that are all on the censored list; shame on them.
Theoretically all BTC transactions can be ID'ed by Anonymous Coward · 2017-08-21 12:54 · Score: 1

We are just seeing a few of the cases here; eventually bitcoin usage will be individually identifiable in all cases, and governments and big corporations will be happy to look at your block chain and see all you have done.
Doesn't surprise me... by __aaclcg7560 · 2017-08-21 12:56 · Score: 2

From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously. If Facebook can do that, everyone else can do the same thing.
1. Re:Doesn't surprise me... by Anonymous Coward · 2017-08-21 13:17 · Score: 1
  
  Here's the link, minus the obfuscated Amazon affiliate link!
  Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley
  Naughty, naughty, Chris!
2. Re:Doesn't surprise me... by Anonymous Coward · 2017-08-21 13:23 · Score: 0
  
  I shouldn't even have bothered... Your thing doesn't even work....
  404 File Not Found
  The requested URL (=http://amzn.to/2vfOshh) was not found.
  If you feel like it, mail the url, and where ya came from to help@slashdot.org.
  FAIL
3. Re:Doesn't surprise me... by __aaclcg7560 · 2017-08-21 13:33 · Score: 1
  
  Corrected URL: "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley"
4. Re:Doesn't surprise me... by __aaclcg7560 · 2017-08-21 13:35 · Score: 1
  
  I shouldn't even have bothered... Your thing doesn't even work....
  Looks like I need to strip out the extra crap that Slashdot puts into their links in my scraping script. Thanks for pointing this out!
5. Re:Doesn't surprise me... by Anonymous Coward · 2017-08-21 13:37 · Score: 0
  
  Here's the link, minus the Amazon affiliate link!
  Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley
6. Re: Doesn't surprise me... by Anonymous Coward · 2017-08-21 16:33 · Score: 0
  
  You can hear a nice interview with that author on WNYC's Note-to-Self podcast with Manoush Zomorodi here:
  http://www.npr.org/podcasts/452538677/note-to-self
  Scroll down to March 22nd, 2017.
  Iirc, in that podcast or another one also on NTS, Propublica talk about their chrome add-on that can reveal stuff about your fb profile that affects what ads you see. Apparently fb will get data about your mortgage and other credit info from 3rd party suppliers to attach to your profile for bespoke audience targetting for advertisers.
7. Re:Doesn't surprise me... by Anonymous Coward · 2017-08-22 01:11 · Score: 0
  
  Here's the link minus the price tag.
8. Re:Doesn't surprise me... by swillden · 2017-08-22 02:12 · Score: 1
  
  If Facebook can do that, everyone else can do the same thing.
  Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Doesn't surprise me... by __aaclcg7560 · 2017-08-22 02:26 · Score: 1
  
  Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.
  It helps not to overthink it. I certainly don't with my comments. ;)
10. Re: Doesn't surprise me... by __aaclcg7560 · 2017-08-22 02:29 · Score: 1
  
  You can hear a nice interview with that author on WNYC's Note-to-Self podcast with Manoush Zomorodi here:
  Thanks for the reference! I'll check it out.
11. Re:Doesn't surprise me... by swillden · 2017-08-22 02:49 · Score: 1
  
  Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.
  It helps not to think. I certainly don't with my comments. ;)
  FTFY.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Hummmmm..... by Anonymous Coward · 2017-08-21 13:39 · Score: 0

Just pair with a couple of exchanges between crypto-currencies, like bcoin to ether to zcash and to whatever crypto-currency on the up and up at the time and then purchase what you want with the final wallet you transferred? Will be harder to go forensics on the blockchain if it's spread between several.
1. Re:Hummmmm..... by paolo.redaelli · 2017-08-23 20:49 · Score: 1
  
  Well, actually ZCash has by design "real" anonymous transactions. Of course they claim it, but I haven't the skills to really check it out
Maybe I'm missing something, but... by Anonymous Coward · 2017-08-21 13:51 · Score: 0

...this seems a lot like saying "If someone sees your face when you buy things with cash, they might be able to identify you".
1. Re: Maybe I'm missing something, but... by Anonymous Coward · 2017-08-22 02:01 · Score: 0
  
  Not everyone is good at remember strangers face unless the stranger has a distinctive feature
Fucking idiots ... by Anonymous Coward · 2017-08-21 13:56 · Score: 0

Based on tracking cookies, the transaction can be linked to the user's activities across the web.
If you think you're being clever and using anonymous cryptocurrency, and you're too goddamned fucking stupid to not be blocking 3rd party tracking shit, then you're too fucking stupid to deserve privacy or anonymity.
Having web browsers trust any asshole of a 3rd party site to set cookies or run scripts is the dumbest fucking in terms of security.
Sorry, but this is just self inflicted fucking idiocy.
The average website calls out to a slew of companies who do nothing but track you and sell you ads ... if you don't know how to block this shit, don't whine when you learn that being tracked by dozens of sites wherever you go pretty much invalidates any form of privacy you think you have.
1. Re:Fucking idiots ... by Waffle+Iron · 2017-08-21 15:17 · Score: 3, Funny
  
  You are aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns of expletives that each uses in their messages?
2. Re:Fucking idiots ... by Anonymous Coward · 2017-08-21 17:44 · Score: 1
  
  Won't work, especially if You are aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns in their messages?
3. Re:Fucking idiots ... by Anonymous Coward · 2017-08-21 22:16 · Score: 0
  
  If you're too goddamned fucking stupid to not be aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns of expletives that each uses in their messages, then you're too fucking stupid to deserve privacy or anonymity.
4. Re:Fucking idiots ... by Anonymous Coward · 2017-08-22 01:24 · Score: 0
  
  That's why I'm using a fucking A.I. browser plugin that randomly inserts fucking expletives in an abso-fucking-lutely random fucking way.
5. Re:Fucking idiots ... by Anonymous Coward · 2017-08-22 03:57 · Score: 0
  
  You are aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns of expletives that each uses in their messages?
  Ffffuuuuuuuuuuuuccckkk!11z!!!!10ne11!
Lightning network will alleviate this somewhat. by Anonymous Coward · 2017-08-21 17:39 · Score: 0

like the title says..
Re:LOL by Anonymous Coward · 2017-08-21 17:57 · Score: 0

Bitcoin was never intended to be anonymous. That's the only part you have wrong.
And so, for a practical use by Lorens · 2017-08-21 19:29 · Score: 1

Will they be able to use this to track down the authors of the DAO hack that prompted the split of Ether into Classic/Not Classic, or of any of the other recent mediatized multi-million dollar thefts?
For something that claims anonymity as a feature by duke_cheetah2003 · 2017-08-21 20:05 · Score: 1

...it's completely not a feature. Quite the opposite. Everything is tracked, anyone can see what anyone else is doing. Associating wallets with real life people is not especially difficult.
Re:For something that claims anonymity as a featur by pD-brane · 2017-08-21 23:04 · Score: 1

Exactly, which is why knowledgeable users of Bitcoin do not claim anonymity as a feature of Bitcoin. Moreover, Bitcoin itself cannot claim anonymity, it simply has not the property of being anonymous. A red car has the property of being red; it cannot claim that it is blue or red.
Re:For something that claims anonymity as a featur by ArsenneLupin · 2017-08-21 23:19 · Score: 1

A red car has the property of being red; it cannot claim that it is blue or red.
But it can claim to be green, unless it's a Volkswagen...
Anonymity in Bitcoin by DrYak · 2017-08-22 02:39 · Score: 1

Anonymity has never been a target for bitcoins.
In fact it's even the contrary, by design.
The whole point of bitcoin is having no central authority. There's no single central "BitCoin Inc." company that handles the transactions and decide which are valid or not (as opposed to PayPal and all the controversies surrounding block funds and transactions - which were among the reasons of some of bitcoins popularity).
The bitcoin protocol achieves that by distributing the "ledger of all transaction" - the blockchain - among all node on the network, and on counting on the agreement of the network majority to decide the validity of transaction.
That means that every single node on the network, by design to achieve this distributed control, must imperatively have a local copy of all transactions on the network.
The only thing is that bitcoin is *pseudonymous* - the transaction aren't signed with your Real Identity, they are signed with cryptographic key pairs on which you control the private part.
Meaning that mapping which transaction is done by whom isn't necessarily obvious.
But of course, if one of the dozens of tracker present in the shops (ad tracker, content optimizer, strategic clients managers, etc.) detects you when you do your buying, chances are high that even these 3rd party will be able to map transaction in blockchain (done with a certain public key) with your detected identy.
(Of course the shop themselves need to do that by design - they need to know you paid and they need to have an address where to send your goods to).
Of course a government has even more means to achieve this kind of unmasking.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
TOLD YA by Anonymous Coward · 2017-08-22 06:29 · Score: 0

This has ALWAYS been possible with bitcoin because it has a LEDGER of every transactions you make. That is exactly why it specifically says on the BitCoin web site that it's NOT anonymous.