back to article Tor torpedoed! Tesco Bank app won't run with privacy tool installed

UK supermarket giant Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. …

  1. Alumoi Silver badge
    WTF?

    Security risk?

    How the hell rooting my phone is a security risk? It's the first step towards enhancing the security. Without root you can't remove most of the bloatware, can't install a decent firewall and an adblocker.

    And no, I don't want to block apps, I want to remove them.

    Oh, wait, I see it. It's a security risk for the advertisers and tracking companies.

    1. Anonymous Coward
      Linux

      Re: Security risk?

      Running everyday tasks with administrative privileges is a security risk on pretty much any operating system. I know that rooting an Android phone is often the only solution for many annoyances and I understand people who do so, but the above is a fact.

      1. Zakhar

        Re: Security risk?

        Aren't you confusing: having a rooted phone with running an app as root?

        1. Lucasjkr

          Re: Security risk?

          How can the bank tell that a phone has been rooted in order to remove factory apps, install ad blockers, etc, versus a phone that was suripiciously rooted in order to have a key logger installed? And the bank is the one that will take the financial hit if they spot a rooted phone logging in and assume the first but which turns out to be the second...

      2. Alan Thompson

        Re: Security risk?

        Routing a phone simply re-enables the root/admin function that was removed by the manufacturer/carrier. It is a bit like Dell/HP/Lenovo deciding to disable run-as-administrator on your Windows pc.

        A rooted phone user can then use that run-as (called sudo or su) functionality to better manage and secure their phone. Everyday apps don't run as root anymore than word our excel do on your pc.

    2. Anonymous Coward
      Terminator

      Trustyness risk!

      Called it.

      Quite surprised how quickly it's happening though... government bureaucracies and all that...

    3. Bob Vistakin
      Big Brother

      Re: Security risk?

      This is but one small step away from the Tesco App not running unless you have a Tesco SIM in your handset.

      1. energystar
        Terminator

        Re: Security risk?

        "...unless you have a Tesco SIM in your [Tesco provided] handset". From your Tesco broadband service.

      2. Charles 9

        Re: Security risk?

        "This is but one small step away from the Tesco App not running unless you have a Tesco SIM in your handset."

        This is a real thing, actually. Many apps are published by cell phone providers. Number 1 requirement? They only work with their SIMs.

    4. a_yank_lurker

      Re: Security risk?

      It sounds like you are confusing privilege escalation as is common in Linux distros with always running as root. The first case is only done for administrative/limited reasons such as installing/removing apps. The second, what is common with Winbloat, allows malware to be installed without user permission because you are at root.

    5. Planty Bronze badge

      Re: Security risk?

      Rooting is absolutely a security risk. Things can occur in the background unknown to you. Ask yourself for a moment, what random tools did you download from the internet to root your phone, did you personally compile them yourself after auditing and u derstsbding what they did.... I think not....

      1. Jeffrey Nonken

        Re: Security risk?

        Didn't run any random apps from the internet to root my phone.

        Yes, rooting is a security risk. So is running garbage apps included with stock ROMs. So is running outdated firmware. Stock on my phone is 5.0.1... Not even the latest Lollipop!

        The only way to be secure is... not to have a phone or computer at all. Do everything in person, in cash, and don't use banks. And even then there are risks.

        A bit ridiculous, but my point is there are no guarantees. Ever.

        Pick your battles, choose a balance between needs and dangers, and don't snark at me because I chose differently.

        Rooting my phone gives me control far beyond the dangers it poses. My choice where the balance is for me. I'm not being reckless.

        Making an uninformed choice is what's reckless.

    6. oneeye

      Re: Security risk?

      They are likely following Google's lead on this, as Android pay won't work on rooted phones either. I don't know about Tor though, that seems a bit much, considering their apps ARE offered in Playstore. I could maybe understand not running the bank app while Tor was in use, but it sounds more like ignorant admin. to me.

  2. Paul Crawford Silver badge

    Best security practice

    Don't use a banking app on Android in the first place.

    Every sane OS is patched at least monthly, if not more often as bugs and security holes are found. Most phones one per year if you are lucky for core OS parts, occasionally more often for app and that often asks for more permissions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Best security practice

      " Most phones one per year if you are lucky for core OS parts"

      for the first 2 years since the phone's release, if you're lucky

      There is no way I'm banking on any phone, any time soon.

      1. Anonymous Coward
        Anonymous Coward

        Re: Best security practice

        My Android phone updates every month, the vendor (not Telco) supplied apps probably more frequently than that. No luck involved, just correct choice of phone vendor.

        That said, I still would not do banking on it.

      2. oiseau
        Stop

        Re: Best security practice

        Hello:

        "There is no way I'm banking on any phone."

        There you go.

        Seems much more sensible to me.

        Of course, YMMV.

        Cheers.

    2. Dave N

      Re: Best security practice

      Tin foil hats at the ready. Not sure where you're getting your information, but I receive an Android security update every 4ish weeks.

      1. Jeffrey Nonken

        Re: Best security practice

        "Tin foil hats at the ready. Not sure where you're getting your information, but I receive an Android security update every 4ish weeks."

        Wow, very patronizing.

        Lucky you. Must be a fairly new phone, possibly a Nexus, or both. Most of us don't get that kind of service, especially on older phones. Current stock ROM for this Galaxy S4 is 5.0.1.

        I mention Nexus because Google is good about updating their phones, which makes sense, but other manufacturers tend to be less assiduous. Possibly you're lucky enough to be hooked up with one of the exceptions.

        Android forum posts suggest it's pretty rare.

    3. Fibbles

      Re: Best security practice

      Don't use a banking app on Android in the first place.

      Every sane OS is patched at least monthly, if not more often as bugs and security holes are found. Most phones one per year if you are lucky for core OS parts, occasionally more often for app and that often asks for more permissions.

      I don't know where you're getting your info from. I've got a Motorola which received an update to Lollipop and then later Marshmallow. I still regularly receive updates to Marshmallow. The OS also gives me granular control over app permissions; I don't have to allow everything to install an update.

      I'd say modern Android is a pretty secure OS. Of course you're much more likely to get pwned if you're browsing porn sites with it or installing apps from warez.cn but that's true of any OS. Even if someone does gain control of your phone I don't understand your fear of banking apps. The most any attacker would be able to do is view your balance or transfer money to a pre-approved list of recipients. You need to use a separate card reader to authorize anything else.

      To be honest your post is another example of the self-congratulatory Luddite circle-jerk that seems to happen far too often on these forums.

      "Kids using banking apps? Pah! When I was their age we had to walk FIFTEEN miles, uphill, both ways, just to find the bank was closed!"

      1. Paul Crawford Silver badge

        Re: @Fibbles

        "I don't know where you're getting your info from"

        Experience. My first "smartphone" was an HTC Wildfire and it received a single OS update in 3-4 years for some wifi bug but remained remained buggy (would reboot in poor signal strength areas after a while). Also that update wiped phone so was really a factory reset as well. Now have a ~3 year old Motorola G which has had 2 OS updates so far and currently is telling me that its Android 5.1 patch 2016-03-01 is as up to date as there is.

        So while *you* might be lucky with your phone, the majority of phone owners get SAF in the way of timely updates.

        1. Gene Cash Silver badge

          Re: @Fibbles

          You're lucky... my Moto G has not even got as far as 5.0 under Verizon

        2. Anonymous Coward
          Anonymous Coward

          Re: @Fibbles and @Dave N

          HTC Desire One X, haven't had a system update for it for about 3-4 years, now. Still on Jellybean.

          When I'm ready to get a new one anyway, I might try Cyanogen Mod.

          (particularly as I don't want to bank on my phone ...)

        3. Ken Moorhouse Silver badge
          Coat

          Re: it received a single OS update in 3-4 years

          Tesco can detect installation of TOR? I wonder if it could also detect "one update and that shallot"?

          Coat? Yes, going now...

          1. energystar
            Holmes

            Tesco can detect installation of TOR?

            Well, it says a LOT about Tesco scratching at the bottom [as TOR]. Maybe they're trying to occupy the same real? state.

      2. MatsSvensson

        Re: Best security practice

        Yes, and clearly this is all about *you* and *your* phone.

        Its not like there is some kind of weird non-Motorola, non-lollipop parallel universe out there somewhere.

        Bah!

      3. Barry Rueger

        Re: Best security practice

        YMMV. My Moto G has seen exactly one minor system update since buying it a year and a half ago, and Marshmallow is not even a glimmer on some distant horizon.

        My experience is entirely the opposite of yours, and I assume my phone is always long out of date.

      4. Jeffrey Nonken

        Re: Best security practice

        No true Scotsman?

      5. tiggity Silver badge

        Re: Best security practice

        Whereas my Moto is getting no more updates - no Marshmallow etc as it is not ludicrously expensive, and more than 2 years old.

        If you are not on the new shiny upgrade mode of phone renewal, then upgrades soon peter out.

        Even true of Google Nexus, many models left to rot quite quickly.

        1. Danny 14

          Re: Best security practice

          ironically enough, the rooted phone is probably patched better than the unrooted phone.

          Easy answer though, switch banks.

    4. Adrian Midgley 1

      Nexus 5 - more like weekly updates

      You know rather a lot of users of whatever don't let updates run, don't you?

    5. a_yank_lurker

      Re: Best security practice

      One should limit all the apps to the bare minimum and remove the banking, commercial apps. This has nothing to do with OS security but the fact it is rather easy to lose a phone or have it stolen. I limit the types of apps on my phone so that if it is ever missing I do not need to worry about my bank or credit card details being stolen; they are not on the phone.

    6. Infernoz Bronze badge
      FAIL

      Re: Best security practice

      I would rather not use/buy anything from Tesco anyway, because they are effectively a low end supermarket now. As for firewalls, I use NoRoot Firewall on Android, which implements a firewall inside a VPN facade, so I can selectively block lots of apps which should never ever have WiFi/Cell internet access anyway!

      A basic internet app like one use for banking should not even be allowed to know that Tor is installed because it should never be allowed those kinds of system access privileges, because it is a security risk; only explicitly, user approved, proper security/system apps should ever be allowed those kinds of system access privileges. If I see any non security/system apps request excessive privileges I flame the author, then delete it, or if it can't be uninstalled because of manufacturer or google arrogance, I disabled it! e.g. most of the * Play apps are disabled on my Android devices...

    7. Anonymous Coward
      Anonymous Coward

      Re: Best security practice

      My android devices are patched monthly....

      Android has less security issues than iOS, despite a massive marketshare(85%) iOS is what I would be very concerned about....

      http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

  3. davidp231

    Rooting

    The Barclays banking app isn't too different - it too doesn't claim to like running on a rooted phone (which the Android layer on a Jolla phone appears to be). It can be worked around by renaming or removing 'su' as that is apparently the guilty party.

    1. Dan 55 Silver badge

      Re: Rooting

      Just use a browser anyway, its SSL handling is 100 times more secure than a banking app.

      1. John Sager

        Re: Rooting

        Just use a browser anyway, its SSL handling is 100 times more secure than a banking app

        Citation? The Barclays banking app uses SSL with a cert chain similar to a browser one. I can't comment on the relative security properties of the app vs browser.

        1. Dan 55 Silver badge

          Re: Rooting

          http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/ - the first result that was reasonably up to date. And remember, that's with iOS where the OS forces you to make an effort with SSL security. Android is worse.

        2. oneeye

          Re: Rooting

          I would think that most banking apps are just a wrapper for the mobile website, and then would/should offer some kind of secondary authentication. The problem with the app vs browser, is not knowing how good the developers are, and whether or not they did an independent security audit of the app. I trust the major browsers more because of the developer community that surrounds them. But coming full circle, how secure really is the banks websites in the first place. There's a whole lot of moving parts to consider, but banking on any smart phone should at least be on one of the newest OS versions for sure.

      2. Anonymous Coward
        Anonymous Coward

        Re: Rooting

        @"Just use a browser anyway, its SSL handling is 100 times more secure than a banking app."

        Not any more. With Bluecoat getting a cert that lets it write fake SSL certs under the guise of "virus checking", your Browsers SSL will likely be less safe than a banking app because it supports Symantec root. The banking apps will start checking for their correct root authority after the BlueCoat backdoor.

  4. Pascal Monett Silver badge

    "preventing free speech and internet security"

    Once again a stupid Twatter demonstrates his abysmal misunderstanding of the world he lives in.

    Free Speech is not guaranteed by Tesco. It is your Constitutionally-guaranteed right to be allowed to have your own political beliefs and not be harassed for having them. Tesco is a supermarket, not a political platform. Their app is for shopping, you do not use it to express your political preferences.

    As for Tor, it was a good idea, but it is being used by some of the worst people on the planet to conduct their despicable business. By being part of that, you are just allowing them to continue reaping illegal money or worse.

    Rooted phones are much more at risk of being hacked. Tesco has identified the weakness and decided to minimize risk by not letting the app run on a rooted phone.

    I agree with that decision completely.

    1. Paul Crawford Silver badge

      Re: "preventing free speech and internet security"

      WTF? The app is complaining about the Tor app installed on a non-rooted phone.

      So what if Tor is used by "some of the worst people on the planet to conduct their despicable business" as you could easily say "mobiles phones are used by..." or the Internet, or cars, etc, etc. So long as he is not using Tor for kiddy-fiddling etc then it is none of your damn business.

      1. Pascal Monett Silver badge

        It is indeed none of my business and I don't care what he does with it. It is nonetheless a vector for hackers and scum to access your phone because those kinds of people use Tor as well.

        Taking Tor out of the picture therefor increases security.

        Actually, taking the mobile phone out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils.

        1. Paul Crawford Silver badge

          "a vector for hackers"

          Really, as far as I can see from the Play store is it not a tor node and just a tor access point or proxy. And if for access then I can't believe it is much worse than some unpatched browser on the phone as you go to legitimate web sites already hacked and serving up malware.

        2. Dave N

          > hackers and scum to access your phone because those kinds of people use Tor as well.

          HAHAHA. Oh wait, you're serious? I heard hackers and scum use the Internet too, better log off mate.

        3. Anonymous Coward
          Childcatcher

          It is indeed none of my business and I don't care what he does with it. It is nonetheless a vector for hackers and scum to access your phone because those kinds of people use Tor computers cameras printing presses paint pencils mud as well.

          Taking Tor computers cameras printing presses paint pencils mud out of the picture therefore increases security.

          Those bloody idolaters! Fashioning heresy from lumps of clay. It's filth. Filth you say.

          We should probably fire you off into space, away from all the scum and their filthy temptations, to protect your refined moral fortitude "security".

          1. Anonymous Coward
            Anonymous Coward

            @ AC

            Nicely done! :-)

        4. elDog

          Could say as much about SSL or encryption or writing your terrorist instructions in 1's and 0's. All these techniques are used by terrorists and banking consumers.

          If you want to communicate with the rest of us, please send a notarized letter on erasure-prevention paper within an envelope with the King's signet embossed.

        5. Adrian 4

          So something which has many uses, if also used by 'hackers and scum', should be avoided ?

          Better ditch Android, iOS, Windows, Linux, OSX, msDOS then ..

        6. Kane
          Facepalm

          "Actually, taking the mobile phone out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          Well, if we're going down that road...

          "Actually, taking the mobile phone car out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone pencil and paper out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone printed map out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone trainers out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone internet access out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone paper money out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          "Actually, taking the mobile phone screwdriver out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."

          Can you see what I did there?

    2. VinceH

      Re: "preventing free speech and internet security"

      "Free Speech is not guaranteed by Tesco."

      No, but it is also not something they are responsible for restricting or preventing. They do not have that right, and they also have no right to decide what you can and can't run on your device.

      This isn't terribly far away from refusing to let you access online banking if you don't have cRapport installed.

      1. Anonymous Coward
        Anonymous Coward

        Re: "preventing free speech and internet security"

        No, but it is also not something they are responsible for restricting or preventing. They do not have that right, and they also have no right to decide what you can and can't run on your device.

        This is not as evil as the howling hordes attempt to suggest (well, the few that fail to see the irony of running Tor on Android). Tesco isn't prescribing what you can or cannot run on your phone, it is telling you that they don't want their app running from a phone that also runs the Tor app. I suspect this comes from the angle that the Tor apps probably have not much in the way of provenance and may thus contain unwanted "features" which could be a security risk, combined with the fact that a lot of use of Tor is not for benign purposes (the Tor originated accesses I have seen on the websites I run, for instance, is exclusively by people trying to breach them).

        It's a classic overblown Internet reaction to claim that Tesco is attempting censorship: the company is simply attempting to exercise some caution. In a stupid way, yes (because that opens up a world of hurt: which other apps are not benign? Who updates that list? Is Tesco responsible when it misses one?), but censorship is defined as an unescapable denial of choice, which this definitely is not.

        If you don't like this, don't go whining on Twatter. Simply don't install the Tesco app.

        1. Anonymous Coward
          Anonymous Coward

          Re: "preventing free speech and internet security"

          It's OK, as Pascal probably 'downloaded the internet to a floppy disk' earlier to prevent anyone using his 333mhz Packard Bell and his AOL connection for launching nuclear missiles etc....

        2. Adrian 4

          Re: "preventing free speech and internet security"

          But also warn otrher people who might want to make the same decision. Perhaps that warning could be broadcast via a whine on twitter.

    3. Graham Dawson Silver badge

      Re: "preventing free speech and internet security"

      Another who confuses the us first amendment, protecting free speech from restriction by the state, with the natural right to free speech.

    4. Fred Dibnah

      Re: "preventing free speech and internet security"

      Hey, does the UK have a constitution now? Thanks for letting me know!

      1. Anonymous Coward
        Anonymous Coward

        Re: "preventing free speech and internet security"

        Hey, does the UK have a constitution now? Thanks for letting me know!

        Oh yes, and it's a strong one as it has to handle the famed English Breakfast..

        1. Bob Rocket

          Re: "preventing free speech and internet security"

          The constitution is not so much for the bacony goodness in the morning but the 16 pints of Belgiums finest Stella that is required drinking the night before.

          Banking app won't work, change banks (it's not rocket science).

    5. Anonymous Coward
      Anonymous Coward

      Re: "preventing free speech and internet security"

      "As for Tor, it was a good idea, but it is being used by some of the worst people on the planet to conduct their despicable business. By being part of that, you are just allowing them to continue reaping illegal money or worse."

      I do websites and use Tor weekly at least to diagnose network issues. Never thought of myself as "one of the worst people on the planet"; nor has the website-herding business ever been described to me as "despicable" (although some of the SEO types can be a bit iffy).

      Tor use does not automatically imply evil, illegal, or even immoral intent.

    6. CanadianMacFan

      Re: "preventing free speech and internet security"

      As for the Internet, it was a good idea, but it being used by some of the worst people on the planet to conduct their despicable business. By being part of that, you are allowing them to continue reaping illegal money or worse.

      /s

    7. This post has been deleted by its author

    8. Barry Rueger

      Re: "preventing free speech and internet security"

      "As for Tor, it was a good idea, but it is being used by some of the worst people on the planet to conduct their despicable business."

      Oh, the misery of the irony challenged.....

      Please Google "Panama Papers."

      Is there another industry or tool used widely by "some of the worst people on the planet?"

      Maybe used to manage and hide their ill-gotten gains.

    9. raving angry loony

      Re: "preventing free speech and internet security"

      Dear Pascal,

      The USA is not the world, and the world is not the USA. So get your head out of your ignorant arse. As for the rest of your argument, it's as ignorant as your initial diatribe about "Constitutionally-guaranteed right" in a British publication about a British company providing services in a Britain.

      Now fuck off. Regards, a raving angry loony, who seems to be more sane than you'll ever hope to be.

  5. Spasticus Autisticus
    Black Helicopters

    Bank app or TOR?

    Bank app or TOR on my phone? Hmmm

    Bank app or TOR?

    Bank app or TOR?

    Fsck bank apps, Facebook, Whatsapp (is that right?), Snapchat, fsck them all!

    TOR above any data slurping, location seeking, ad pushing app on my phone - and yes I know I can be tracked - and whatever else - just by having a mobile phone on me. It's already too late for most of us to withdraw from digital surveillance but some gadgets are useful despite their drawbacks.

    1. Tom 64
      Facepalm

      Re: Bank app or TOR?

      Well, TOR wont help you much with the digital surveillance angle, I'm afraid.

      A lot of the exit nodes for TOR are run by our esteemed security services, precisely so they can surveil usage. If you have used TOR with any regularity, the chances are some of your connection details and possibly content is already on a government HDFS cluster.

  6. Ole Juul

    Tesco is making a strong statement

    When you connect to a bank you are completely identified by them and there is no privacy issue there. The problem is security. You don't want anybody else to be able to snoop on your transaction, and what your are doing is not anybody else's business.That is the reason for using Tor for this sort of thing. It is probably the best piece of software available right now for keeping other people from snooping, and by blocking it the Tesco Bank is making a strong statement that they do not endorse strong security when you are dealing with them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tesco is making a strong statement

      by blocking it the Tesco Bank is making a strong statement that they do not endorse strong security when you are dealing with them

      I disagree - do you really know who writes the Tor app and what their goals are? I think Tesco is more seeking to run from a platform that is less likely to be compromised, and they have taken the presence of Tor apps as an indication that not all is well.

      The best statement on this, of course, would be coming from Tesco itself. Strangely, any explanation from Tesco appears to be lacking, so their PR department is clearly not on the ball.

      1. Mephistro
        Linux

        Re: Tesco is making a strong statement

        "...do you really know who writes the Tor app...

        I actually know what the apps do, as I have access to the source code. Just like everyone else, 'cos "Tor is free and open source for Windows, Mac, Linux/Unix, and Android"*, i.e. it's Open Source.

        * Note: Quote from the Tor Project page.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tesco is making a strong statement

          Swings and roundabouts. Using Tor stops your ISP eavesdropping, but you don't know who's running the exit node. Tor is useful if you're roaming in an exceptionally dodgy country, but I think for banking I'd prefer a decent VPN service via Switzerland or Germany (where they at least try to have proper privacy laws).

          TBH, I wouldn't do banking with Android because I don't trust it much.

          Dunno where all this demonising of Tor is coming from...I use it all the time as a perfectly legit network diagnostic tool. Can't remember when I last fired it up for anything dodgy.

          1. Geoffrey W

            Re: Tesco is making a strong statement

            RE: "Can't remember when I last fired it up for anything dodgy."

            Ah Ha! So you HAVE used it for something dodgy. Wheres my list...?

  7. Zakhar

    What about TOR proxies?

    Could be interesting to know what the app does when ran on a TOR middlebox (it would probably detect an emulator) or if you attach it to a TOR proxy. I mean one can perfectly set up a private AP and forward all the traffic from the AP to TOR. As it is transparent forwarding (except it relays only TCP and DNS -UDP 53) the app CANNOT detect there is some TOR involved! Obviously the bank's server can detect that because (almost all) the tor exit nodes are known.

    The result could be interesting to know if the app works in such conditions. If it works, it means the bank don't ban TOR, just a list of local applications... and I'm not sure that does really enhance security, but sure it enhances annoyances!

    P.S.: I tested my bank app with a TOR middlebox, it works.

    1. Anonymous Coward
      Anonymous Coward

      Re: What about TOR proxies?

      That points to the app not being able to detect whether or not TOR is actually in use, so perhaps detecting the presence of a TOR app is the best they can do to keep the regulators off their backs.

  8. Anonymous Coward
    Anonymous Coward

    Missing the point...?

    Presumably their objection with Tor isn't aimed at weakening security fo legitimate users, but more aimed at trying to stop criminals from anonymously accessing their services.

    "Sorry Sir, we don't have a snowball's chance in hell of finding the person who compromised your credentials and siphoned the contents of your account offshore, because we thought it would be a good idea to allow people to access our services anonymously"

    1. Anonymous Coward
      Childcatcher

      Re: Missing the point...?

      No! They're not blocking access from Tor nodes... naïvely misguided at best and tending towards draconian malignancy, but sadly fairly commonplace and at least pseudo-excuseable*

      They're scanning your system to check if it's even installed! Not in use - merely installed! Then presuming to rebuke you for your choice of privacy tools and refusing to cooperate until you conform to their removal demand!

      Think of the children!

      *(not a typo)

      1. Anonymous Coward
        Anonymous Coward

        Re: Missing the point...?

        They're scanning your system to check if it's even installed! Not in use - merely installed!

        Is there really a way in Android to distinguish the one from the other?

    2. Adam 1

      Re: Missing the point...?

      > aimed at trying to stop criminals from anonymously accessing their services

      If that is the yardstick that we should measure this by then it is a terrible idea on 2 accounts.

      1. It is ineffective. It doesn't stop access from desktop environments, and let's be honest, cyber crooks are hardly going to bother fiddling around on phone swipes unless it makes their job easier. It also cannot detect whether the traffic has been transparently routed through tor between the phone and the net, so fails it's goal even if that was a good approach in the first place. Even VPNs would easily defeat the ability to track the true location of the client.

      2. There does exist a simple to implement and much more effective approach in the server detecting and refusing to deal with communications arriving from tor exit nodes. This could then display a simple message in the app to say. Sorry, you can't use this service via tor. Please disable it and try again. Oh, and that works on desktops and transparent tor routing too. It also works with public VPNs (hey, we are concerned with being able to identify the actual client ip right?)

  9. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      luddite moron

      1. Anonymous Coward
        Anonymous Coward

        "luddite moron"

        With all due respect, I think you are being unfair to morons here.

    2. Mephistro

      "how about you sign a disclaimer....so that when your bank account is raided, you don't get reimbursed"

      I'll do that when the bank signs another disclaimer taking responsibility for any security / privacy issues derived from its apps removing my security / privacy software.

      Nah, actually I wouldn't touch Internet banking with a bargepole. Until "They" remove the right to choose from "Us".

    3. Paul Crawford Silver badge
      FAIL

      You are indeed a moron if you think that the presence or otherwise of a tor browser is the single most important thing for banking security.

      Here is a clue - if security matters, and one has to assume banks are aware of this, you must start by the assumption that any device or communication channel may be compromised and design a system to catch that. That is the whole point of 2FA (you can't trust a single path/factor).

      Of course if the '2' in your 2FA both via your phone (e.g. banking app & text message confirmation) this is a big FAIL as you really have 1FA (and considering the numerous unpatched bugs in many phones, really SFA). Banks must know this, but take the risk that fraud is less expensive than the lost business of forcing a more secure model on the customer.

      1. Anonymous Coward
        Anonymous Coward

        As you said, if customer satisfaction is pulling counter to your need for security, then there's no way you can maintain security AND keep your customer base. Too much security and your customers defect and you fold. Too little and accounts get hacked, you get investigated, and you fold. And since it's the clients who want this access, saying no is not an option (too much security again). So they're caught between Scylla and Charybdis here. I mean, what can you do when your customers only have ONE factor to them?

        1. Paul Crawford Silver badge

          "when your customers only have ONE factor to them?"

          Difficult, though some of my accounts have a card reader that generates a code based on the card/PIN and the transfer amount to be used. This is a separate validation path that is very hard for a compromised phone (or PC, or MITM from hacked wifi point, etc) to to bypass.

          Advantage - no internet connection to said device so it can't be hacked (directly, lets overlook the RSA Token breach for a moment).

          Disadvantage - it is something annoying to carry with you if you really want banking on the move.

          1. Charles 9

            Re: "when your customers only have ONE factor to them?"

            "Disadvantage - it is something annoying to carry with you if you really want banking on the move."

            Not to mention easy to lose AND easy to get swapped for a pwned model. That's why there are plenty of people who don't even take their phones with them: they keep leaving them at home, which creates a problem. How can you use a second factor when there is no second factor available?

            1. Kevin Johnston

              Re: "when your customers only have ONE factor to them?"

              ah hahahaha...haha

              I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.

              -Initial Customer code

              -Security password as there is no cookie so PC is not recognised

              -pre-agreed image

              -pre-agreed phrase

              -Customer Number

              -Security code

              and if I use a Windows PC it whinges that I don't have cRapport which would 'improve my security'

              So 6-Factor security isn't good enough and you want an extra package to help???????

  10. inmypjs Silver badge

    Not surprised

    I had a Tesco online savings account for a short time, couldn't stand the obnoxious security policies which required mobile phone authorisation every time I logged on.

    My privacy policies being incompatible with arcot browser fingerprinting technology they used.

    I remember the EU cookie legislation had recently been introduced requiring user permission and commenting how much worse the arcot 'evercookies' were being accessible from any website.

    Tesco didn't even mention the technology they were using never mind ask for permission.

    I see their online services are still managed by idiots - doesn't matter because I still wouldn't even consider using any Tesco financial service.

    1. Jay 2

      Re: Not surprised

      Yes it took me a while to figure out what was behind the "remember my computer" option.

  11. Anonymous Coward
    Anonymous Coward

    I'd assume that they've decided that annoying the handful of people that'll have such apps installed legitimately is worth it for the number of instances where such software is installed illegitimately.

    Also they no doubt use your originating address and such like to add to the wealth of thigns that the anti fraud systems check (such as if you buy something in London on your card one hour then the next hour you buy something in South Africa on your card and they block your card.) I'd assume having multiple exit geographically different access addresses would kick off similar caution from the bank.

    As to rooted (as in new os installed) systems while you may trust them there's little guarantee that the image hasn't been compromised by someone along the way and while if a network or manufacturer OS has a breach in their supply chain you are covered by multiple insurances the third party OS almost certainly doesn't give you any legal protection. As such a bank probably wouldn't reimburse you if they have cause to suspect that the issue was caused by you installing a third party OS.

    1. Anonymous Coward
      Anonymous Coward

      Also considering the risk of poisoned exit nodes & MITM, while TOR is great for anonymising your origin you probably can't trust it to protect your identity and personal details that you transmit. Especially if you're paranoid about alphabet agencies and or concerned about well funded online crime groups.

      1. Mephistro
        Devil

        @ AC

        "Especially if you're paranoid about alphabet agencies"

        And don't forget the Alphabet Company!

        While writing this comment, I noticed that Google's mothership's name was kind of a hint.

      2. Ben Tasker

        Also considering the risk of poisoned exit nodes & MITM, while TOR is great for anonymising your origin you probably can't trust it to protect your identity and personal details that you transmit

        Well, how about the App actually verifies the certificate it receives, and they use DANE to ensure that the fingerprint of the provided certificate matches the certificate they _know_ to be real.

        Then the exit not only has to MITM the SSL connection (using a publicly trusted certificate), but also has to find a way to return a valid, _signed_ response to the DNS query.

        Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP

        Implementing actual checks on the certificate being provided would benefit all users, tor and non-tor. Instead, they leave their app checking the local system whilst ignoring the large expanse of network between the client and the server.

        1. Ben Tasker

          Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP

          Got curious, turns out they're not the worst of the lot, even if far from great.

    2. Anonymous Coward
      Anonymous Coward

      Sounds similar to the reason Android Pay refuses to run on anything but verified-stock systems. No root (not even systemless root), no custom anything in /system. And because SafetyNet phones home over a secure connection, that can't be faked, either (or xda would've found a way by now).

  12. Anonymous Coward
    Anonymous Coward

    Missing the point again

    Not really surprised they take this view.

    As Tor hides the identity of the endpoint, if the person was up to no good like trying to drain a bank account, it would be nigh on impossible for Tesco to persue any criminal case against them so in this case it's not about trampling on free speech, it's about security.

    As for holding the customer to account for weak security, this analogous to leaving your door unlocked or leaving a key under or in a flowerpot.

    If you get burgled and tell your insurance that you've done this after the Police have indicated there are no signs of forced entry, I wonder if they are likely to honour your claim? Not very.

    Where I work a password criteria is enforced for this reason, but I guess some are still using password123 then?

    1. Paul Crawford Silver badge

      Re: Missing the point again

      You are right but also mistaken.

      Yes, I can see that banks should not accept business via Tor due to the additional risk of the originator not being the real person, and no doubt the use of the IP address and geo-lookup is one aspect banks use in detecting fraud.

      But you are mistaken here: the whole point of the article is the banking app won't allow you to have a Tor browser installed on the same phone even though it is cleared via Google's own Play store, not that it won't work via a Tor network. Those are two very different things.

      1. Charles 9

        Re: Missing the point again

        Unless they can't tell the difference. Once Tor is in use, the source IP can easily be masked without a way for the banking app to know it's turned on. If the only clue you have to TOR is whether or not such a gateway is present (not whether it's on or off, only present), then it's a case of having nothing but a hammer to work with and financial regulators on your back.

        1. Paul Crawford Silver badge

          Re: Missing the point again

          Even if the banking app can't tell the phone's IP address, the bank surely can tell if the connection is coming out of a Tor node. Maybe not 100% as I doubt there is a very up-to-date list, but pretty much most connections would be identifiable that way. Also if its an app that can get your location then a geo-lookup should be able to tell if the phone's IP address is sane as well.

          But one way or another, they should not be placing great trust the bank app, phone, or network path in the first place. 2FA is needed if it matters, but sadly for a mobile-only customer that is a single point of failure.

          1. Old Handle

            Re: Missing the point again

            There IS an up to date exit node list. The Tor Project publishes it themselves. If all they wanted to do was stop people from accessing their bank through Tor (not entirely unreasonable) that would have been the way to go. So either they're clueless or have some other motivation.

            1. Charles 9

              Re: Missing the point again

              "There IS an up to date exit node list."

              They're probably clueless. They probably also don't trust the exit node list.

        2. Mephistro
          Coat

          Re: Missing the point again (@ Charles 9)

          "Once Tor is in use, the source IP can easily be masked without a way for the banking app to know it's turned on."

          Would it be that difficult to make the app in such a way that it only communicates with the Internet through 'normal' https?

          So, while it's working, the app closes access to a big list of Tor nodes, does some other clever checks, e.g. symptoms of DNS Constipation, and if it considers that the connection is still not safe, disallows itself to communicate with the bank's site, then close the connection, stop blocking the tor services and browser, send user a message to please stop temporarily (not remove!!!) any app that has anything to do with the tor network.

          This mechanism would have the advantage of addressing the problem not only for this program, but for other future programs that provide access to the Tor network. And nobody's rights would be stomped*.

          It's not rocket science!.

          While I was writing about "stomped rights", I, for unknown reasons, recalled this quote from Fallout Tactics:

          "Look Joe, I've been hookin' here for fifty years now. My ass has seen more rubber than a dead rat in the middle of Route 66. I thought I've seen just about everything, but then these robots come in and they kill all my customers. Now the only time I lay on my back is to go to sleep."

          :-)

          1. Amos1

            Re: Missing the point again (@ Charles 9)

            Relying on client-side controls for security, as in the app, is a fool's game. Physical possession = Game Over as far as any kind of security goes. It can help you reduce the number of incidents but that's it.

            1. Mephistro

              Re: Missing the point again (@ Charles 9)

              "It can help you reduce the number of incidents but that's it."

              Nothing we can device and develop will ever give us a perfect protection.

              What I described would give users a 'sane' level of protection, without breaking that delicate balance between annoying your customers and protecting them, and without costing an arm and a leg.

              Now, someone should do something about all those methods to pwn a stolen smartphone. In the case of Android, it should include serious changes in the way it addresses security, including a working full disk encryption, IMHO. The same is true about Apple, but up to a lesser extent (and with the full disk encryption side more or less covered), as proved in the San Bernardino iPhone unlocking case.

              1. Anonymous Coward
                Anonymous Coward

                Re: Missing the point again (@ Charles 9)

                If someone can physically steal the phone, they can meddle with things physically to defeat protections: including going as far as gleaning unlock codes and such (like how the FBI got their hands on an iPhone when the owner was dead). Worse comes to worse, they can attack the chips themselves in an evacuated darkroom or something.

    2. Anonymous Coward
      Anonymous Coward

      Re: Missing the point again

      Where I work a password criteria is enforced for this reason, but I guess some are still using password123 then?

      No they are using something like Password123! ie the minimum variant on that they can to pass your password complexity checks.

    3. David Pollard

      Re: Missing the point again

      ... Tor hides the identity of the endpoint ...

      So does a throwaway laptop, or an RPi with a newly written SD card and reset MAC.

  13. Amos1

    A bit heavy-handed but the intent is understandable

    At the financial institution where I work we block Tor exit nodes unconditionally if they attempt to access anything but the brochureware website. (We do not block just because it's installed.) Everyone wants the bank to reimburse them for losses due to their own negligence, sorry, "accepted risk", and this is a method we use to keep the bad people out. It does seem a bit odd for a supermarket but one would hope they've correlated incurred losses to Tor and that's why they did it.

    Colleagues at international banks, particularly those with clients in South America, have said they see a lot of their legitimate traffic come in via Tor, allegedly because of repressive governments or hiding of assets offshore or whatever. For them the risk of Tor use is low. For us, we've only had attacks come in via Tor so we waved it bye-bye.

  14. cd

    When a biz tries to get me to download their app, I picture their manager in a toupee using a computer with a Turbo button on it.

  15. Anonymous Coward
    Anonymous Coward

    how about a deal?

    I'll agree to remove Tor, to please Tesco; if they in return, to please me, agree to accept unlimited liability for any financial loss (direct or indirect) for any transaction on my account that is not explicitly authorised by me in a written letter in advance? Any card transactions, any direct debit with a variable amount, any bank charges - none of them allowed. (If they know how to run my phone, I know how to run their bank).

  16. billse10

    question

    the bank knows who the user is.

    the bank knows the user has Tor installed

    what stops the bank giving people a list of customers with Tor?

  17. Anonymous Coward
    Anonymous Coward

    Tesco is not a bank any more than a mobile phone operator. The banking licence and presumably the systems are operated by a real bank (RBS from memory - OK, not quite a real bank!). So it is bizarre that Tesco appear to require this but the actual guardians of the bits, RBS do not (assuming that the absence of similar stories about RBS is not merely absence of proof of this). I suspect it is an overly stringent spec issued by the app design consultant to the app developers.

    1. billse10

      Maybe we should have a way to "reverse" the 'Intel Inside' idea ... "contains RBS", "O2 inside", that sort of thing ...

  18. energystar
    Linux

    Being Paranoid...

    Secure [As Bank] Applications should run in their own Hard|Soft Stack. That is, bank provided agent Gadget. Cost wise, nothing of another world. Security wise, a world apart.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security wise, a world apart.

      But if the bank provided agent Gadget (or, for backdateable tech, a bootable cd/usb) was bank provided, they'd find it much harder to shift any blame onto the customer. Why else is it this hasn't been done?

      As a non-rebooting linux user, I'd have hated having to reboot into a whatever ThingBank OS they used just to do some banking ... but I couldn't have denied that it would have made considerable sense, security-wise.

  19. Baldy50

    Tor, NONONO Call it the (Darker Net)

    Tor is used by dissidents,political refugees, military personnel, police informants, journalists escaping repression/censorship, so on and so forth.....

    Tor has a rep for being used by crims/drug dealers and they do use it to, but I don't think I'd like to live in a world where if my government turned dystopian I couldn't tell the world what was really happening and that is It's redeeming quality.

    Tor has to be, for good or bad!

  20. Milton

    Typically corporate stupidity

    Many readers will by now have had the experience of picking up contract work where, for certain clients, it is a non-negotiable MUST that for the client's work you exclusively use a handset supplied by him, and use encryption and keys approved by the client's own security bods. (There's a fascinating story or three to be told about the peculiar difficulty of ensuring that your handset has not a single component or piece of code fabricated in China or Russia, too.)

    So there is a kind of black hilarity in the fact that the more secure your handset is, the less likely it is to work with the bank's systems. I suspect Tesco are telling us more about their (lack of) faith in their authentication methods and worries about their own security, than they are concerned about protecting customers.

  21. Anonymous Coward
    Anonymous Coward

    I don't think Tesco are preventing free speech or restricting privacy as nobody is forced to use the app and to claim otherwise is just plain silly, something which I wouldn't have expected from a database admin. I can only imagine the sheer horror and carnage if someone accidentally drops a table, mistypes some sql or turns his monitor off when he goes out to lunch or is it just twitter that given the limited message length people are compelled to fit as much bollocks into a small space?

    Who do @Tesco think they are, preventing free speech and internet security? @torproject @tescobankhelp @Android

    Should have been

    Can't use @tesco bank app with tor, a useful tool for speech and internet security. I will have to look at other options @torproject @tescobankhelp @android

    Sometimes I use this thing called "the browser" I'm guessing quite a lot of IT folk haven't heard of it but those that don't should look it up, it's amazing, you can access the "Internet" without apps. I shit you not.

  22. gnasher729 Silver badge

    There are three reasonable reasons why a bank might reject your phone: a. Because they think your phone is likely to be or get hacked. b.Because they think your phone might not be the phone of the account holder. c. Because they think you do something that makes you a bad customer. (c) may be reasonable, but it is objectionable.

    Some people seem to believe that (c) is the reason. But if using Tor was a reason to disable the phone banking because your bank thinks you are a bad customer, then it would be logical to close your accounts completely, not just online banking.

    I think the real reason is (b). Having Tor on your phone makes it more likely that you are not the customer trying to access his bank account, but a hacker trying to break into someone's bank account.

    1. Old Handle

      Good thing a hacker couldn't just uninstall Orbot and put it back after they're done looting your account.

    2. Adrian 4

      Surely having Tor on your phone is a hint that you're a less naive internet user who's savvy enough to recognise phishing or certificate attacks ?

  23. Martin-73 Silver badge

    So for someone who still has a non-smart-phone...

    Can someone explain the advantage (if any) to the user of an App for 'joebloggs telephone payments' and a bookmark that takes the phone's browser to joebloggs' website ?

    1. Charles 9

      Re: So for someone who still has a non-smart-phone...

      The App is not restricted to security measures featured in a browser beyond their control and can go above and beyond if desired.

      1. Old Handle

        Re: So for someone who still has a non-smart-phone...

        That looks more like a disadvantage in this case.

        1. Charles 9

          Re: So for someone who still has a non-smart-phone...

          TrueCrypt/VeraCrypt doesn't have to rely on a single standard algorithm. What if a banking app was like that and could use algorithms like Blowfish that aren't standard but still useful, especially when used in addition to the standard-bearers?

  24. EvadingGrid

    User or Admin

    Its interesting to see the majority of comments are from outraged dumb phone users.

    Those who run serious servers, that under constant attack, seem to be largely absent from the comments.

    1. WatAWorld

      Re: User or Admin

      It is the weekend, so those who actually work in IT are mostly doing something else.

  25. anthonyhegedus Silver badge

    The only reasos to run this tor bullshit is if you're doing something dodgy, or you're running an illegal service, such as a web site to take payments in bitcoins for ransomware. Or if you're a paranoid tinfoil hat wearer.

    Tesco are doing risk reduction here. If a phone has tor on it, it's also likely to have all manner of other crap on it that can only be used for sometbing at least partially illegal, or the user has such a low grasp on security that they feel the need to load it in the first place. The same for rooted phones. A rooted phone is much more likely to have malware on it just by virtue of it being less secure.

    And don't start that bullshit about bloatware. Yes, it's good to remove all that shit, it only serves greedy advertisers, but not at the expense of rendering my phone more susceptible to other malware.

    I'd sooner check my balance on an android than Windows anyway

  26. Anonymous Coward
    Anonymous Coward

    Banking through a supermarket, eh?

    Now there's ya problem.

  27. PNGuinn
    Coat

    "Free Speech is not guaranteed by Tesco."

    No, but you do get clubcard points ......

  28. David L Webb

    Tesco and the dark net

    Tesco are probably still upset about the fake Tesco vouchers which were apparently available on Silk Road in 2014 .

    From

    http://lbbonline.com/news/demos-jamie-bartlett-talks-tor-the-darknet-how-brands-could-learn-from-it/

    "One of the biggest pages on the dark net is The Silk Road (think Amazon of the drugs market). It sells more than 20,000 different products, the majority of which are drugs – though in April 2014, the most popular item was a counterfeit £20 Tesco voucher going for eight quid!"

    Dave

  29. JohnMurray

    If you don't like it: Don't use Tescrap Banking.

    Problem solved. They're only skimming a deal out of providing an alternate route to services you can obtain directly from the bank group Tescrap use.

  30. wolfetone Silver badge

    Remember kids, the "man" doesn't like you having a choice. He just wants you to think you have one.

    1. WatAWorld

      Remember, TOR is a product of "The Man".

      Remember, TOR is a product of "The Man". The US State Department would not be sponsoring it if they didn't have a way to see inside of it and if it did not serve their own ends.

  31. oiseau

    TOR and banks

    Hello:

    A year or so ago I installed the TOR browser on my netbook to see how it worked.

    One of the tests I ran was accessing my bank account via what they call 'Home Banking' (even though spanish is the official language), it worked quite well, albeit a bit slow.

    Next time around and working from my home rig this time, I see that access to my account has been blocked and I get a pop-up requesting I contact the bank.

    To make it short: had to go to the bank and see my account manager who duly notified me that the bank's IT dept. had detected a virus/trojan/whatever in my equipment, requesting (a way to put it) I sign a release form without which my account would not be reinstated.

    Ever.

    And that was that.

    Cheers.

  32. Ken Moorhouse Silver badge

    Unexpected item in application area

    Onion DNA found on phone

    http://metro.co.uk/2013/01/16/top-10-jokes-about-horse-burgers-following-the-tesco-revelation-3354967/

    http://fourthirds-user.com/galleries/data/500/UNEXPECTED_ITEM.jpg

  33. Anonymous Coward
    Anonymous Coward

    Banks are under increasing scrunity for money laundering etc etc and face increasingly huge fines if they can't demonstrate they've taken appropriate steps to avoid problems so it perhaps not surprising they may be "overreacting" .... as an example - people with US citizenship are finding it difficult to open bank accounts in several European countries (or have exisiting accounts have they summarily closed) because banks have decided to de-risk and avoid the dangers of incorrectly reporting info to the IRS (and any bank that deals in dollars basically has to have a US operation which can be fined). My younger son was born while I was working for 3 years in California and we've already hit the issue of having to tick the "is applicant a US citizen" box when opening a savings account for him ... all the bank representative could say was it wouldn't cause an issue until he was 18.

  34. Anonymous Coward
    FAIL

    Web is still best (assuming no flash plugin)

    Two tabs in your browser can't see each other AT ALL thanks to the same-origin-policy.

    Andriod apps can see each other, which means Andriod security is SHIT and not fit for any purpose. Especially banking apps.

    1. Anonymous Coward
      Anonymous Coward

      Re: Web is still best

      Hey downvoters, thought I'd just add some more truth:

      Propitiatory app platforms are predatory BY NATURE. Every app is out to claim the most permissions they possibly get, then to suck down as much private data as physically possible.

      You're doomed. DOOOOOOMED. DOOOOOOMED. A lamb to the slaughter.

      Of course the web is full of cancer too, but at least the very strict sand-boxing and script-blocker plugins can keep it in check.

      (Haha lusers!)

      1. Charles 9

        Re: Web is still best

        "Of course the web is full of cancer too, but at least the very strict sand-boxing and script-blocker plugins can keep it in check."

        You haven't run into the ad-blocker-blockers have you? Or those sites that don't show anything unless the ad stuff gets loaded? Or the sites that are trying to find ways around your ad blocking such as through local caching?

  35. This post has been deleted by its author

  36. WatAWorld

    Who are these narcissists who think they are the only ones entitled to freedom of choice?

    You can have your free speech. You have your freedom of choice. And so do other people.

    You cannot expect banks and grocery stores to succumb to your right to choose to wear a ski-mask when withdrawing funds or making purchases.

    People who work and own banks and grocery stores have their right to freedom of choice and freedom of speech too. And more importantly they also have a right to know who they are doing business with.

    Sure there are ways to bypass this. There are ways to bypass bans on wearing ski-masks inside of banks too.

    What I'd really like to see is merchants being stricter on insecure browsers and allowing us to impose geographic limits on the us of our own accounts. We need more security on the web, not less.

    1. Charles 9

      Re: Who are these narcissists who think they are the only ones entitled to freedom of choice?

      "What I'd really like to see is merchants being stricter on insecure browsers and allowing us to impose geographic limits on the us of our own accounts. We need more security on the web, not less."

      The only way to achieve that is with a Stateful Internet, meaning no anonymity. Otherwise, miscreants can use the anonymity inherent in today's Internet to masquerade and get around things like ID and geo-blocks.

  37. txt3rob

    it's a rather smart idea that!

    protects them from paying out from fraudulent users they can not trace.

    Smart bank!

  38. Anonymous Coward
    Anonymous Coward

    Obvious innit - Ripped off here from a few years back

    Tor = TCP for peedos

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like