The Fraud Examiner

What Fraud Examiners Need to Know About Tor

Security, Anonymity and Cybercrime

By Jacob Parks, J.D., CFE

November 2014


When criminals use online tools to commit fraud, the investigation often involves looking for whatever digital traces they might have left behind. One of the most important clues in these searches is the Internet Protocol (IP) address. Through subpoenas to service providers, both law enforcement and private parties might be able to match a user’s IP address to an account holder, which can be used as evidence to identify the perpetrator.


However, because of tools like Tor, these clues are not always useful. If IP addresses are the fingerprints of the Internet, then Tor is a pair of gloves. It is a neutral device that can be used for good and evil, and fraud examiners should be aware of its potential effect in investigations.


Like the Layers of an Onion

Tor is software designed to provide users with anonymity and security in some online communications. It also allows them to access certain websites and services on the Deep Web. The U.S. Naval Research Laboratory developed the core concept behind Tor for government agents to send communications anonymously and securely. Later, a group of researchers (with the Navy’s permission) created the Tor Project, which provided free and openly accessible software for private parties and other government agencies to enhance the anonymity and security of their communications. The term Tor derives from the acronym of “the onion router,” which metaphorically compares the layers of an onion to the way in which the network provides layers of encryption to communications.


Users download the Tor Browser, which has basic functions similar to other Internet browsers. It works by sending a user’s online communications, such as a text-based message or a website request, through a network of volunteered computers around the world. Individuals and organizations donate the use of their computers to serve as message “relays.” However, the messages have multiple layers of encryption, making it so that the first relay that receives the message knows the sender’s IP address, but does not know the encrypted contents of the message. The first relay also knows to pass the message on to a second particular relay.

Sign In

Not a member? Click here to Join Now and access the full page.