Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport. Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after …
Is this software any good - and do we really need it?
I ask this question because when I first installed this a couple of years ago (provided by my bank) it worked OK for me but when my wife logged onto the same machine she was unable to access the internet. Uninstalled it, raised the issue with my bank and got a reply back from Rapport that they'd now fixed this issue. In other words. they'd not ever considered that in a home environment more than one person might use a PC. Amazing!
Didn't fill me wiith confidence in the company so I have never reinstalled it.
No it cannot be
HSBC tried to "offer me" that via an advert on their website which
1. Was offered exclusively from the insecure part of their site with no means to guarantee that the offer is genuine and not for example a case of DNS poisoning or someone drive-by serving malware.
2. Referred to from one insecure site to another in the process of asking this.
3. Tried to dupe me into installing it with scaremongering incluing pseudo-av popup just in the style of poisoned scareware adverts.
Sorry, a self-respecting secure software will not allow their affiliates to use tactics like this to peddle its warez.
By the way - I wrote to HSBC about this and it got the same attention as any obviouis BUG or security problem on their site: "This is not the security problem you are looking for".
Can it EVER be any good?
I wonder - you have the risk of a compromised PC, quite possibly via a VM-like rootkit so it is virtually undetectable by AV or anything running in the OS, and try adding another OS-level bit of software that somehow is going to stop the keyboard/mouse/monitor being recorded and sent to a 3rd party?
Just how is that supposed to work?
As pointed out elsewhere, what is needed is a "2nd path" of information that is much harder to guess, such as the RSA key (assuming the morons learn and don't keep the keys to everyone's kingdom in the one place) or a mobile phone (unfortunately assuming said PC-monkey won't just install a Trojan on it as well).
Can we have a 'snake oil' icon please?
Rapport - - - AAarrrrrrgggh
I wish, I just wish, that it was possible to say no to this with my bank.
I would never pretend to be the world's best at keeping my data secure but I do all my banking from PC's which I control and which have decent anti-everything installed. Since the recent changes to my online banking (which used to be a password and a couple of number and which now are an ID, some numbers, check the image matches, add a couple more numbers) I can't get away from the 'delightful' offer to install that wonderful Trusteer product to make sure this wealth of data doesn't get snaffled by undesirables EVERY TIME I LOG IN.
There is so much of this garbage to go through to log into my bank I HAVE TO WRITE SOME OF IT DOWN!!!!! Anyone who uses real values for these 'memorable questions' is just making it easy for people with FriendsFaceUnited or whatever to pick up the answers so you have to keep track of the random garbage.
Do these people not understand that the more complex you make the login procedure the more likely this is to happen. What point software which can (probably) hide your secret data when it is on a Post-it on the monitor?
Why don't banks just admit that they can't make online banking secure and go back to simple techniques. I know the RSA key methods and suchlike have some known issues but realistically anyone who has the kit/know-how to defeat that level of security will breeze past the rest of this garbage and probably already has access through the records that banks keep dumping in skips.
As a fellow sufferer...
... I'm guessing you use the bank whose name is an anagram of Red Satan (with a leftover 'n')
Rapport - also Aaaaargggh!
My bank likewise push this at me every time I log on, and every time I say NO!
I did relent and try it for a week or so many months ago, but my browser (IE, as the bank would only accept IE at the time) slowed to a complete crawl on all sites. Uninstall, and performance returned to it's old levels.
My bank wanted me to use it too
But I tried and it said it wasn't compatible with Opera.
As if I'd go back to IE to do my banking!
Everything seems to work perfectly well without it and I'm not sure what Rapport actually offers (besides taking up disk space and memory resources).
Would that be the same shite-orcs of a bank that doesn't do Faster Payments?
I have to say Rapport works for me and I'm presumably better off with it than without?
My bank makes me choose characters from a PIN by mouse, so that defeats keyloggers presumably. Though I guess one could monitor mouse pointer travel from the drop-down click to the selected character. I've always wondered why they don't randomise the position of the numbers in the drop-down every time.
Don't use it = fail
Everytime i do online banking with the Eastern bank referred to above - I am sold a story about why i should for my own safety. I never have and never will - it is garbage and will not protect you from a determined hacker. And now it is shown that by installing it you actually attract attention to yourself because hackers know you do online banking and therefore are a target. So no - there are other solutions out there that hopefully the banks will soon wake up and realise that they have been hoodwinked by these large vendors plying outdated technologies
more effective, far less resource hungry.
Not like the bloatware rapport is.....
The bank I use that advertises trusteer doesn't even have an ev ssl certificate (green bar)
This banks site runs off an engine rather than how other banks I use do so it hard for me to see what third party code is injected but if they are anything like bank of america, pnc, etc... these banks always throw in third party code.
It would be like having a clown with balloons standing next to atms. Sure the clown with balloons may not be there doing anything wrong but would the clown really need to be there?
Same goes for tracking code inside of logged in areas of banking sites. Does it really need to be there?
Same goes for tracking code inside of logged in areas of banking sites
"Does it really need to be there?"
Sadly, yes. Same with any e-commerce, it's the most efficient way to get the MI you need to optimise the journey. Having said that, banks should only use web tracking tools they pay for, and so have some contractual fallback with the vendor. If you see Google Analytics inside a secure site - run!
I don't see why banks bother with third party tracking cookies, why not just parse their own logs? This will even catch people who block the third party cookies.
Those banks which require you to select characters with the mouse instead of typing them only offer very minimal protection... Sure, this will stop traditional keyloggers but you don't even need to detect mouse movements, if you were to hook into the browser you could capture whatever it sends. And don't think SSL will help here, if an attacker has sufficient privileges to run a keylogger on your machine he could also install browser plugins to log traffic before it gets encrypted.
In terms of actual useful protections, i think Natwest have a decent balance... You can log in using your pin and password as usual, and you can send relatively small amounts of money to people you've already sent money to in the past or transfer it between your own accounts... But if you want to pay someone new, or send a large sum of money you have to use a little card reader to validate the transaction.
Although i haven't researched the card reader in detail, and would hope its not based on something similar to rsa where a third party keeps a copy of all the keys.
The details of such systems should be open, but you have a lot of people who are of the mindset that keeping the details hidden will improve security... This is only true when the system is flawed anyway, and no matter how hard you try to hide flaws like that they will be found sooner or later. So i'm very wary of such systems, having not had any decent peer review there are likely many flaws waiting to be found, as shown with rapport there are serious design flaws which were trivially found.
On the other hand systems like SSL and various encryption algorithms are well known, have been reviewed by many competent people and have been found to be pretty strong. I'm much more confident using a system which i know has been in the public eye and had competent people attacking it.