Slashdot Mirror

← Back to Stories (view on slashdot.org)

Third Party Trackers On Web Shops Can Identify Users Behind Bitcoin Transactions (helpnetsecurity.com)

Posted by BeauHD on from the breadcrumbs-trail dept.

An anonymous reader quotes a report from Help Net Security: More and more shopping websites accept cryptocurrencies as a method of payment, but users should be aware that these transactions can be used to deanonymize them -- even if they are using blockchain anonymity techniques such as CoinJoin. Independent researcher Dillon Reisman and Steven Goldfeder, Harry Kalodner and Arvind Narayanan from Princeton University have demonstrated that third-party online tracking provides enough information to identify a transaction on the blockchain, link it to the user's cookie and, ultimately, to the user's real identity. "Based on tracking cookies, the transaction can be linked to the user's activities across the web. And based on well-known Bitcoin address clustering techniques, it can be linked to their other Bitcoin transactions," they noted. "We show that a small amount of additional information, namely that two (or more) transactions were made by the same entity, is sufficient to undo the effect of mixing. While such auxiliary information is available to many potential entities -- merchants, other counterparties such as websites that accept donations, intermediaries such as payment processors, and potentially network eavesdroppers -- web trackers are in the ideal position to carry out this attack," they pointed out.

28 of 63 comments (clear)

  1. Bitcoin = least secure transaction of all by Anonymous Coward · · Score: 3, Informative

    The only benefit of Bitcoin is that it's a pyramid scheme.

    1. Re:Bitcoin = least secure transaction of all by JcMorin · · Score: 1

      Bitcoin does not have an issue with the protocol. I can't forge a transaction that will seal your balance like you could with a check. The "fraud" we see is more like, if I hack your computer or your phone, I can use that to sign a valid transaction without your consent... it's more a security issue than a protocol problem. The transactions are very secure, there are millions/billions moving every day.

  2. Shipping Address? by Anonymous Coward · · Score: 5, Informative

    And they've really got you when you enter your name and shipping address.

    1. Re:Shipping Address? by Anonymous Coward · · Score: 3, Funny

      That's why I have all my deliveries sent to my neighbor and then I burglarize their house as soon as I get the delivery notification.

    2. Re:Shipping Address? by sthomas · · Score: 3, Funny

      YOU get the notification?!? GOTCHA!!

    3. Re:Shipping Address? by ChatHuant · · Score: 1

      YOU get the notification?!? GOTCHA!!

      Well, obviously, he also intercepts the neighbor's e-mail - I mean, doesn't everybody?

    4. Re:Shipping Address? by Anubis+IV · · Score: 1

      There seems to be this common misconception among the general population that Bitcoin is anonymous in the same way that cash is. What people don't realize is that it's pseudonymous, not anonymous, and that if you allow the veil to be lifted for even one transaction, legal or otherwise, then every transaction you make, legal or otherwise, can be traced back to you. Oh, and everyone's entire history of transactions is publicly accessible too, so if your pseudonym is pierced, anyone and everyone can see who you've done business with.

      At least with credit cards that data is only in the hands of the credit card processors and the people willing to pay them for that info. It's not a good situation by any means, but I'll take it over Bitcoin.

  3. Anonymous or not by freeze128 · · Score: 1

    Unless you're buying illicit drugs or something, who cares? And if you are, shame on you! You should have been more discreet.

    1. Re:Anonymous or not by Angst+Badger · · Score: 3, Insightful

      Or you're resisting a totalitarian regime that might put you in prison or a labor camp for purchasing an unapproved ebook.

      --
      Proud member of the Weirdo-American community.
    2. Re: Anonymous or not by Wootery · · Score: 1

      You're really going to try to deny the existence of totalitarian regimes, rather than concede the point? Classy.

    3. Re:Anonymous or not by gurps_npc · · Score: 1

      Let's see who cares:

      1) Gay people in countries where homosexuality is not protected.

      2) Anyone in a totalitarian government - even if you are a supporter, they can't be trusted.

      3) Pregnant teenagers that are terrified of their parents finding out (which they do when the web browser starts showing ads for diapers), before they decide what to do.

      4) Any one that doesn't like being teased, laughed at or insulted.

      Basically, privacy is an essential right, more important than the right to bear arms or the right for you to go around being self-righteous and judging everyone else

      --
      excitingthingstodo.blogspot.com
  4. Theoretically all BTC transactions can be ID'ed by Anonymous Coward · · Score: 1

    We are just seeing a few of the cases here; eventually bitcoin usage will be individually identifiable in all cases, and governments and big corporations will be happy to look at your block chain and see all you have done.

  5. Doesn't surprise me... by __aaclcg7560 · · Score: 2

    From what I read in "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley" by Antonio Garcia Martinez, Facebook takes its own data and combines it with third-party data to create profiles on every user, whether logged in or browsing anonymously. If Facebook can do that, everyone else can do the same thing.

    1. Re:Doesn't surprise me... by Anonymous Coward · · Score: 1

      Here's the link, minus the obfuscated Amazon affiliate link!

      Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley

      Naughty, naughty, Chris!

    2. Re:Doesn't surprise me... by __aaclcg7560 · · Score: 1

      Corrected URL: "Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley"

    3. Re:Doesn't surprise me... by __aaclcg7560 · · Score: 1

      I shouldn't even have bothered... Your thing doesn't even work....

      Looks like I need to strip out the extra crap that Slashdot puts into their links in my scraping script. Thanks for pointing this out!

    4. Re:Doesn't surprise me... by swillden · · Score: 1

      If Facebook can do that, everyone else can do the same thing.

      Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Doesn't surprise me... by __aaclcg7560 · · Score: 1

      Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.

      It helps not to overthink it. I certainly don't with my comments. ;)

    6. Re: Doesn't surprise me... by __aaclcg7560 · · Score: 1

      You can hear a nice interview with that author on WNYC's Note-to-Self podcast with Manoush Zomorodi here:

      Thanks for the reference! I'll check it out.

    7. Re:Doesn't surprise me... by swillden · · Score: 1

      Er, "If Facebook can do X, so can everyone else" doesn't follow. At all.

      It helps not to think. I certainly don't with my comments. ;)

      FTFY.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Re:Fucking idiots ... by Waffle+Iron · · Score: 3, Funny

    You are aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns of expletives that each uses in their messages?

  7. Re:Fucking idiots ... by Anonymous Coward · · Score: 1

    Won't work, especially if You are aware that companies are using advanced AI to individually identify anonymous Internet posters by analyzing the unique patterns in their messages?

  8. And so, for a practical use by Lorens · · Score: 1

    Will they be able to use this to track down the authors of the DAO hack that prompted the split of Ether into Classic/Not Classic, or of any of the other recent mediatized multi-million dollar thefts?

  9. For something that claims anonymity as a feature by duke_cheetah2003 · · Score: 1

    ...it's completely not a feature. Quite the opposite. Everything is tracked, anyone can see what anyone else is doing. Associating wallets with real life people is not especially difficult.

  10. Re:For something that claims anonymity as a featur by pD-brane · · Score: 1

    Exactly, which is why knowledgeable users of Bitcoin do not claim anonymity as a feature of Bitcoin. Moreover, Bitcoin itself cannot claim anonymity, it simply has not the property of being anonymous. A red car has the property of being red; it cannot claim that it is blue or red.

  11. Re:For something that claims anonymity as a featur by ArsenneLupin · · Score: 1

    A red car has the property of being red; it cannot claim that it is blue or red.

    But it can claim to be green, unless it's a Volkswagen...

  12. Anonymity in Bitcoin by DrYak · · Score: 1

    Anonymity has never been a target for bitcoins.
    In fact it's even the contrary, by design.

    The whole point of bitcoin is having no central authority. There's no single central "BitCoin Inc." company that handles the transactions and decide which are valid or not (as opposed to PayPal and all the controversies surrounding block funds and transactions - which were among the reasons of some of bitcoins popularity).

    The bitcoin protocol achieves that by distributing the "ledger of all transaction" - the blockchain - among all node on the network, and on counting on the agreement of the network majority to decide the validity of transaction.
    That means that every single node on the network, by design to achieve this distributed control, must imperatively have a local copy of all transactions on the network.

    The only thing is that bitcoin is *pseudonymous* - the transaction aren't signed with your Real Identity, they are signed with cryptographic key pairs on which you control the private part.
    Meaning that mapping which transaction is done by whom isn't necessarily obvious.

    But of course, if one of the dozens of tracker present in the shops (ad tracker, content optimizer, strategic clients managers, etc.) detects you when you do your buying, chances are high that even these 3rd party will be able to map transaction in blockchain (done with a certain public key) with your detected identy.
    (Of course the shop themselves need to do that by design - they need to know you paid and they need to have an address where to send your goods to).

    Of course a government has even more means to achieve this kind of unmasking.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  13. Re:Hummmmm..... by paolo.redaelli · · Score: 1

    Well, actually ZCash has by design "real" anonymous transactions. Of course they claim it, but I haven't the skills to really check it out