Humour me a little with this one - is anyone aware of any utilities to randomly issue traffic to a variety of banking sites (or sites on a list) to obfuscate your real one? Or will I have to write one - pretty easy? Thing is, the UK's Investigatory Powers Act demands that your ISP retains records for 12 months, of all your website "connections" (ICRs). These records are accessible to a huge number of people, and in my opinion, it is only a matter of time before they are compromised and the data made available on the black market to malicious actors. The particular threat I see is that it will be obvious which banking site(s) I use, and therefore much easier to conduct phishing or other similar attacks on myself or associates. So, if I (programmatically) issue connections to a large range of banking sites on a random and frequent basis, that obfuscation would render this attack void. Thoughts?
Yes you can obfuscate your traffic by sending out junk data. It will make it harder to pinpoint your personal websites. How effective is this? Not sure honestly. You would have to ask someone who works at a ISP and deals with the collected data. One problem I see is that any interested party will just look for successful logins to your bank portal and phish you with that anyway. There are other ways to obfuscate your traffic using different applications. Depends on your threat model I guess.
If you decide to obfuscate your traffic that way, make sure the volume is not so high that you would get accused of DOS attack Also if you trust any VPN provider more than your ISP, you can use their service when connecting to your bank.
@ComputerSaysNo - The threat I'm trying to counter is the ICRs, which only log visits to site top domains, they would not (I trust) capture whether or not a successful login had been achieved. Although I think personnel at the ISP are going to be bound by confidentiality and possibly the Official Secrets Act, I do know about ISPs and their technology. Probably the simplest type of thing for them to do will be to use Netflow to create these records if they're not already doing so, and I know about that quite well from a project I created back in 1998.... However, doing that project graphically illustrated to me (very literally given the sites people liked to go to), the dangers of retaining this kind of data when associated with the subscriber. I never imagined that they would be so ill advised as to go down this path, but here we are - Empires must be Built. @Minimalist - I'm only likely to be hitting the sites at most once a day or maybe longer, hardly DOS - it's only going to fetch the login page and doesn't need to load any scripts or anything else. Probably do 5-ish banking sites a day randomly selected. Point being to ensure that anyone with those records will not then know which out of the normal suspects I actually bank with. The problem with VPN with banking sites is that is prone to trigger their fraud detection systems - quite rightly really.
deBoetie you are probably being monitored by DPI tools like PACE and NBAR. Maybe they use open source tools like OpenDPI,, nDPI, and Libprotoident. It's been awhile since I played with DPi tools so things might of changed. I know you have issues with VPN's but I think it's time to find a few good VPN's which are located near your address. VPN exit nodes in the same state or region will pass through anti fraud measures with banks and even PayPal if the VPN exit node is close in proximity.
One would tend to think so , but I tested this and was able to log in to three bank sites from two different "countries" in the space of an hour. I expected some contact as a result but there was nothing . I was surprised , and slightly alarmed !
@quietman Perhaps they've fingerprinted your browser or keystroke patterns.... Or else don't care, they have their seasonal bonus.
I tried to assess those and other factors when I first set about this test , and I attempted to eliminate them . For each of those banks , the second log-in was :- a] From a geo location that I could not possibly have reached within an hour . b] On a different machine , different OS / browser , and a different VPN service. If that sort of log-in pattern does not get flagged , then what on Earth does it take ? Ironically , one of the banks has a button on it's website saying " Tell us if you are going away " .... It allegedly prevents your foreign card transactions being auto-blocked as " suspicious " .... Hey , great work guys , keep it up . !! I was intentionally trying to trigger their security systems , and I failed !! OK ... that I can agree with
@quietman - thanks for your work and reporting on it. Useful. We can't really be surprised at corporate security negligence - they don't really bear the costs, and certainly not on a personal basis. It reminds me of the bad old days of commerce, before there were trading standards, food safety, weights and measures, or health and safety. When they used to put Lead Oxide in bread to make it whiter. But, eventually you could go to jail if you adulterated food or defrauded or misrepresented real-world goods. I do not see the equivalent regulation and law in the software or internet realm, the opposite, and I think it will take many decades and much harm to the public before it gets better.
Yes , a case in point is the widely reported breach at UK based Tescobank . Their statements have stressed the rapid refund to all affected customers , but include no details about the nature of the breach .... .... " ongoing criminal investigation ... " ... yada yada Getting right back to your original topic , I say yes , do it At the level you mention I reckon it will be well below the DDoS radar . The only downside I can see is that you may get temporarily locked out of some accounts , but on the basis of my own very casual experiments , I would say it's unlikely . Edit -Maybe it's worth starting a new thread ..... eg. " Banking security , can we believe them ? " ..... I feel that I might have pushed this thread a little off-topic .
Good idea - although it may be more a security than privacy thing. I think the banks swallow the fraud to quite a significant % level (and pass the costs onto customers of course, as well as for the QE but we mustn't mention that...) I'd want to add, "how come use of 2FA is so limited in banking?" and "how come most of the 2FA is smartphone-based" and "I will never consent to biometric internet authentication with banking (or anything else)". As far as the code's concerned, I'll check on Github for anything similar, then publish open-source. I don't think I'd be locked out of anything because I'm not attempting to "do" anything on the sites, just read their login page. Minimal traffic, and any particular site would only have the request every few days I'd imagine. Enough to obfuscate my real visits.
Gmail, Outlook, Facebook and PayPal are the only major sites that use fingerprinting to authenticate users. Most banks don't use fingerprinting.
