Last week, security journalist Brian Krebs reported on a U.S. Treasury Department finding. The Treasury found that TOR nodes account for a large percent of online banking fraud.
I found this report to be startling. I wasn’t surprised that TOR was being used for fraud. Rather, I was stunned that, after all these years, the banking industry was not filtering out logins from TOR nodes!
Don’t look at me!
Let’s back up a moment… The purpose of TOR (the onion router) is to mix up the network pathway so that users can be anonymous online. The purpose of logging into anything — a bank, Google, Facebook, or any other online service — is to identify yourself. These are diametrically opposed concepts. You cannot be anonymous and identify yourself at the same time!
There may be some online services where you don’t care about the account and you want to be anonymous. A good example would be a free Yahoo Mail account that some anti-government Chinese citizen wants to access. They are anonymous but also identified for logging into the account. However, online banking is different.
With online banking, it is not a “free account”. The account manages tangable assets (money) and is directly associated with a person (or company). Customers want the bank to know it is them doing legitimate business and not someone else doing fraud.
The only time a user might want to be anonymous when accessing a bank is if the account is for doing something illegal (like money laundering). This way, the bank won’t be able to trace the account to an individual. But then again, no FDIC Insured bank wants that kind of customer. (Let’s leave the fraud to non-insured PayPal accounts.)
Seriously: I cannot think of any legitimate reason to do anonymous online banking. I see no legitimate reason to access your bank account using TOR.
Safe Web Access
The other thing to remember is that TOR is not a safe online system. Sure, nobody can trace the network connection from the web client to the web server, but that doesn’t mean it is safe. Specifically, you (the TOR user) do not know who owns each TOR exit node and you have no idea what they are doing to your data.
In effect, if you use TOR then you should assume that (1) nobody knows it is you, and (2) someone is watching and recording what you do. Logging into your bank, or anywhere else, is really a bad idea for TOR users. Knowing this, it strikes me that banks are being intentionally ignorant to permit logins from TOR nodes. This majority of banking fraud should have been stopped years ago.
Filtering by Network
I have previously written about various ways to detect proxies. There are two fast and easy ways to detect proxy users: network and application filtering.
The first way focuses on the network address. The folks at the Tor Project actually have an FAQ entry for online services that want to block TOR. They even provide the list of known TOR nodes! At this point, the web server can look at every login request and check if the client’s network address is the same as a known TOR node. If it is, then they can block the request. (And if the login was valid, the bank can even block all login access to the account since the account has been compromised.)
Keep in mind: TOR is not the only proxy network out there. There are dozens of free lists of open proxies. (And even more fee-based lists.) There are also a couple of DNS-blacklist systems that identify known proxy addresses. And then there are network-based geo-location databases — most have some subnets identified as known proxy networks. Banks could even use the geo-location information to identify likely fraud. For example, if I last logged in from Colorado and then, minutes or hours later, appear to come from Europe, then my account has likely been compromised.
If banks really wanted to be proactive, then they would also identify Starbucks, McDonalds, Holiday Inn, and other major free-Internet providers and add them to the “no login” list. Users should never check their bank accounts from a free Internet service.
Filtering by Application
While network filtering will identify known addresses that denote proxy systems, there are always other proxies that are not found on any list.
Beyond looking at network addresses, services can detect proxies by looking at the web traffic’s HTTP header. Many proxy systems add in their own HTTP headers that denote a network relay. If any of these proxy headers exist, then the server should reject the login.
The biggest problem with HTTP headers is that there is no consistent method to identify a web proxy. Some relays add in an HTTP “VIA” header. Others may use “FORWARDED”, “FORWARDED-FOR”, “HTTP_CLIENT_IP”, “X-PROXY-ID” or similar header fields. My own FotoForensics system currently looks for over a dozen different HTTP headers that denote some kind of proxy network connection. While some of these proxy networks may be acceptable for online banking (e.g., “X-BlueCoat-Via” or “Client-IP”), others should probably be blacklisted.
Being proactive is not a crime
There are many viable uses for proxy networks. However, there are also times when using a proxy is a really bad idea. Banks should be utilizing all of these proxy detection methods. They should be ensuring that the network address is not part of a known proxy system. And they should be proactively trying to identify and reduce fraud.
Of course, some people may tell you that online banking through TOR is safe if you use HTTPS. However, that really isn’t true. Anyone who has seen the Defcon Wall of Sheep knows that HTTPS is easy to compromise if you control the network. Remember: SSL is a security placebo and not an actual security solution.
Before I began focusing on forensic tool development, I did a lot of forensic analysis for corporations. I always thought it was ironic when the corporate lawyers would give me very specific directions, like: “We want to know exactly what happened on this computer. Who did what and when. And whatever happens, we do not want you to look at that computer over there!” With corporate attorneys, if they know about something then they must act on it. But if they don’t explicitly know, then they don’t have to do anything about it. By not looking at the problem, they could always claim ignorance.
This entire “TOR used for bank fraud” situation has a similar feel. It is as if the banks want to claim ignorance rather than addressing the problem. But in this case, the entire industry has known for years that TOR is commonly used for online criminal activity. And we have long known that easy banking access facilitates fraud. In this case, not blocking TOR users really looks to me like intentional criminal negligence.