U.S. Treasury Department Report Re-affirms Imperva Messaging about Tor

IStock_000018948558Small

As reported by KrebsOnSecurity, a recently released Treasury Department report details the risks to banks of allowing anonymous Internet connections to financial applications.  The report then goes on to recommend that banks should block connections that are anonymous, namely Tor.

One of the most prolific techniques that hackers use to anonymize their connections is through The Onion Router (TOR) protocol. Tor was originally developed by the U.S. Navy as a way to extract information sent by intelligence operatives from hostile territories.  In addition to utilizing encryption to keep the data confidential, the protocol also enables perfect-forward-secrecy.  This ensures the sender’s identity is shielded from being exposed.  Tor behaves as a network identity cloak, and obscures the client from the server by wrapping layers of encryption and requests around the original request. The intention of this Tor feature was to protect the sender (usually intelligence operatives) in case the message was intercepted and decrypted.

With military-grade anonymizing technology available, it’s no wonder hackers and fraudsters are drawn to use Tor to commit acts of malfeasance.  The Treasury Department report makes a decent attempt at correlating use of Tor with online fraud.  In the report, Financial Crimes Enforcement Network (FinCEN) analyzed 6,048 suspicious activity reports over a 13 year period.  These reports were filed from a variety of financial service industries, ranging from banks to money exchanges to pre-paid credit cards. In that analysis, FinCEN determined that about 16% of the reported cybercrime came from Tor nodes.  In more recent filings, a trend is becoming evident.  Tor is used in the majority of Account Take Over (ATO) heists. In fact, the variety of crime and fraud coming from Tor nodes reads like a crime novel. According to Krebs, the report breaks down the type of crime committed and clearly shows that almost every type of cybercrime is represented:

cybercrime-list
Source: KrebsOnSecurity, Treasury Dept: Tor a Big Source of Bank Fraud, December 5, 2014

One would think that the banks have highly intelligent security infrastructure to easily block traffic coming from Tor. Surprisingly, of the filers, 97% of them did not know the transactions came from Tor nodes.

cybercrime-list2
Source: KrebsOnSecurity, Treasury Dept: Tor a Big Source of Bank Fraud, December 5, 2014

What may seem like old, historical research into incident data is actually an emerging trend and the numbers back that up.  Between March 1, 2013 and July 11, 2014 filings rose by 100%, and they were up by 50% for the previous five years.

So why wouldn’t admins want to just block all Tor traffic coming into their network?  If only it were that easy.  Here’s why it can be a challenge for organizations to outright block Tor:

  • The way Tor is designed makes it an ever-changing, elusive network.  Every second of every day, Tor exit nodes (places where traffic leaves the Tor network and enters onto the public Internet) come and go.  If you tried to make a list of all the bridges and nodes in Tor, your list will be outdated before you can finish it.  Asking a network admin to block something that frequently changes its address is problematic – impossible in most security products.
  • Tor has legitimate uses, for example victims of domestic violence that want to remain protected.  People who want to maintain their privacy from advertisers, the NSA, their ISP, or government censors use Tor. Additionally, activists, journalists and regular citizens use Tor for web browsing.
  • Big players are involved with Tor, such as Google, the Electronic Frontier Foundation, U.S. International Broadcasting Bureau, Internews, and Human Rights Watch, all of whom were early financers.  Recently, Facebook announced direct Tor connections into their network, allowing users to use Facebook via Tor.

For years, Imperva has been ringing the alarm bell on Tor.  We realized the risks and developed a sophisticated method for controlling what actions Tor users can do on our customers’ web-facing applications.  By taking into account the fact that a lot of fraud originates from Tor, but organizations may not want to block Tor entirely, SecureSphere allows admins to identify which clients are using Tor, and subsequently take appropriate action.  The Tor nodes list is maintained by our Application Defense Center (ADC) and is delivered to customers via our up-to-date ThreatRadar feed. Once the feed is integrated, admins can reference it from complex Security Policies to directly mitigate cybercrime without blocking legitimate users. Some risks that can be mitigated and the example Security Policies used include:

  • Account Take Over (ATO) –Allow Tor users to browse the site, but block Tor users from changing the password on the users account
  • Credit Card Fraud- Allow Tor users to browse the website and add items to the shopping cart, but block Tor users from making purchases with a credit card
  • Identity Theft- Allow Tor users to use the site and login, but do not allow Tor users to view the User Details page

With Imperva ThreatRadar, companies have the data necessary to identify users on Tor.  By using SecureSphere, organizations have the tools to control the risks associated with those users.  Now that the Treasury Department has come out and publically warned banks to identify and mitigate Tor based cybercrime, it will be easier for SOC teams to get their organizations on-board with our message – control Tor traffic.

Sources

(1)    KrebsOnSecurity:  http://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/

TOR:  http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29