In a non-public report, the Department of Treasury revealed that an increasing number of hackers are using the Tor network to maintain their anonymity. Surprise surprise! After all, Tor is one of the biggest online anonymity services. So the government is suggesting (again) that blocking Tor would keep hackers away though. And, while that might be true, it’s also shady.
The report came from the Financial Crimes Enforcement Network (FinCEN), a Treasury Department bureau responsible for analysing financial crimes and whatnot. It’s based on real data from 6048 suspicious activity reports (SARs) from attacks between 2001 and 2014. And here’s the kicker: “In the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.” Hint hint wink wink nudge nudge.
Is the Treasury Department demanding that banks should block Tor IP addresses? No, not directly. But that’s a very logical conclusion for a frightened bank to draw after reading this report. It’s a message that’s both between the lines, and in all caps.
Blocking Tor users from doing certain things on the web is not unheard of, but that doesn’t mean it’s OK. Tor users, for instance, can’t edit Wikipedia articles or access Yelp pages. In both of these cases, one can only assume the measure was taken to prevent some sort of horrific troll takeover. When it comes to something like online banking, though, blocking Tor could do more harm than good.
It’s a bit of a Catch 22. “If you treat Tor as hostile, you cause collateral damage to real users, while the scum use many easy workarounds. If you treat Tor as benign, the scum come flowing through,” Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI), told Brian Krebs, who obtained the Treasury report. “For some sites, such as Wikipedia, there is perhaps a middle ground. But for banks? That’s another story.”
Banning Tor will probably harm well intentioned users more than it will keep malicious hackers out. If hackers can’t get in using Tor, they will find something else. Those who are simply trying to protect their privacy will just get screwed.
Picture: Shutterstock / Tor