The majority of bank account hijackings over the past decade used the Tor privacy service to hide thieves' locations, according to a US Treasury Department report obtained by KrebsOnSecurity reporter Brian Krebs.
The non-public report said the heists could have been prevented had financial institutions noticed that the accounts were being accessed over Tor IP addresses, according to an article Krebs published Friday. The report, which was produced by the Financial Crimes Enforcement Network, was based on a review of so-called suspicious activity reports (SARs) filed by banks. Krebs wrote:
"Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising," the report concluded. "Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity—most frequently account takeovers—might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses."
At first blush, the data appears to make a strong case that banks should block connections made over Tor, or at least to subject them to extra scrutiny. Krebs said it's not that simple. For one thing, the approach wouldn't be likely to provide a lasting benefit, since criminals have other resources besides Tor for covering their tracks. Additionally, banking restrictions on Tor could harm the privacy service. Current restrictions in place against Tor already pose an existential threat to its users and threaten to put them into a silo that's separate from non-private IP addresses. Tor users, for instance, are prevented from editing Wikipedia articles, and Google often subjects them to additional CAPTCHAs when performing searches.