Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A number of readers recently have written in to say their banks have urged customers to install a security program called Rapport as a way to protect their online bank accounts from fraud. The readers who pinged me all said they didn’t know much about this product, and did I recommend installing it? Since it has been almost two years since I last reviewed the software, I thought it might be useful to touch base with its creators to see how this program has kept pace with the latest threats.
The basics elements of Rapport – designed by a company called Trusteer — haven’t changed much. As I wrote in May 2008, the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.
From that 2008 piece:
“Some of today’s nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or ‘hook’ the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware – known as a ‘form grabber’ – hijacks the ‘WinInet‘ API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.
Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.”
I spoke last week with Trusteer CEO Mickey Boodaei about his company’s software, how it has changed over the years, and what’s new about it.
BK: A lot of customers are being asked to download the software and don’t know much about Trusteer or Rapport. One customer wrote in banked at BBVA, and another was with Fifth Third. Both banks very recently had multiple customers lose hundreds of thousands of dollars to the sort of online banking fraud I’ve been writing about lately.
MB: Well, the more press coverage we get, the more it will help build familiarity with our brand among consumers.
BK: Since we last talked, you were working with just a handful of banks — such as ING. Can you talk about how the business has grown and who you’re partnering with now?
MB: Over the last year in the U.S., we’ve been seeing a significant change in the amount of interest we’re getting from banks, especially around business banking. It looks like banks are getting really worried about it, as many have seen fairly significant fraud losses. Right now in North America we have around 50 banks using our technology, and few others in the United Kingdom.
Read on after the jump for my thoughts on this software, and a discussion of some of the malware that specifically targets Rapport.
BK: So in a nutshell, what does your company do for the banks you work with?
MB: Each bank we sign, we’re analyzing older fraud incidents and finding which malware variants are attacking them and their customers. We then make sure we have multi-layers of protection on the server side that can address these threats.
BK: Are you working with any banks that are making your software mandatory as a prerequisite for online banking?
MB: We do have a couple of banks that have recently signed and plan to make it mandatory for business banking.
BK: Can you say which ones?
MB: Not right now. They’re not big banks, each has about 5,000 to 10,000 business customers. So we’ll kind of experiment with that. But currently we’re not recommending our customers to make it mandatory.
BK: Why not?
MB: Well based on how it goes with these two banks, we may change our approach. The main reason is that we don’t want this to be perceived as something that is being forced on customers. That generates a negative vibe with customers and we really don’t want that. We want to push banks to educate their customers about the problem.
BK: I noticed there were several recent malware samples that attack or disable Rapport. Did you think your software would become a target at some point?
MB: Definitely, that was one of the key assumptions we had: That if we are successful from blocking malware from committing fraud, we’ll become a serious target for criminals. We are seeing targeted attacks coming from serious organized crime that are trying very hard to find ways around our solution.
BK: If I install Rapport and bank at an institution that also uses it on their end, what can I expect?
MB: Our software integrates into the bank’s site and communicates with the [Rapport] software installed on customer machines, and the two of them can work together so that the bank can effectively measure what the software does on the customer’s desktop. Whenever the customer logs into the bank’s site, the bank knows whether Rapport is there, whether it’s up to date, whether its been attacked or compromised.
BK: So your software ships updates, sort of like an anti-virus solution?
MB: We’re basically pushing updates almost on a weekly basis. These are not signature updates, but updates to our security mechanisms to the way the product works.
BK: So you’re fairly confident your software can detect and block most of the attacks we’re seeing from things like the ZeuS Trojan and other sophisticated threats?
MB: With ZeuS we have multiple layers of protection. Obviously, the core technology is to prevent ZeuS from entering the browser in the first place. On top of that, we’ve added a few layers of protection in the last couple of years, so that we prevent ZeuS from being downloaded to the customers’ machines, and we prevent the installation of ZeuS.
But take a look at the main solutions out there to combat these threats — anti-virus software. The detection for things like [the latest, most advanced versions] of ZeuS by anti-virus software dropped from like 50 percent to close to zero, because the [ZeuS author] changed everything so that even after it’s installed, it looks completely different from one computer to another.
That said, our software is not a silver bullet to anything. It’s not going to solve all the problems that the banks and industry have. But we do believe that it adds real value, especially when integrated into a bank’s bigger fraud detection mechanisms.
ANALYSIS
Trusteer’s product certainly raises the bar for malware writers, and forces them to deploy Rapport-specific attacks to plant malicious software on a user’s PC. Spanish security firm S21sec said recently it had confirmed in lab tests “that ZeuS cannot grab any data in a machine where this software is installed. Unfortunately, the ZeuS guys haven’t just been lazing around; in one of the latest samples of of the Trojan, we have seen how ZeuS, right after infecting a computer, downloads and executes a second file whose purpose is to render useless this software.”
Nevertheless, I think Rapport would be a decent, low-impact addition to the security of any PC user banking online with Windows. But I’m a bit on the fence about recommending this for businesses, mainly because companies that lose money due to stolen online banking credentials are almost always on the hook for those losses. Increasingly, though, victimized businesses end up suing their banks to recover some of the losses, usually arguing that their banks should have done more to detect the fraud.
In these cases, a critical legal question that often arises is whether the thieves compromised the customer’s system or that of the bank’s. I mention this because Trusteer recently built a new component into Rapport called Flashlight, which tries to give partner banks the ability to remotely check to see if their customers’ systems are infected with malicious software. Whether the banks will proactively use that feature to stop online banking fraud is unclear, but such a feature would make it tougher for small and mid-sized businesses that lose money to online bank fraud to claim that their computers weren’t the sole cause of the loss.
Small to mid-sized businesses probably would do better to rely on a Live CD approach on PCs used for online banking. More information on this method is available here and here.
Tags: Flashlight, Mickey Boodei, Rapport, Trusteer
As an account holder of a bank that recently recommended the installation of Rapport, my biggest frustration was that all of the links offered to provide more information were very simple marketing speak. They offered little information of what the program is, does, what it affects on the system, if it has any compatibility issues, or how it functions. Even a pharmacist will describe core benefits and side effects to watch for with a prescribed medicine.
I was asked on faith to install this program, and I couldn’t based on the information provided.
So the bigger question is, do we need to be persuaded, informed, or mandated to use these programs? How long until the equivalent of a DAT file issue or do-good-rootkit -gone-wrong results from ill-informed software installations? If Krebs is on the fence, am I over-thinking this, or do we need to masses to just follow along?
Well-loved. Like or Dislike:
21 
3
Making it mandatory seems a very bad idea; what does a customer using a Mac do to use online banking? How about an iPad, a BSD box, Linux box, etc?
Well-loved. Like or Dislike:
15 
6
I agree. The liveCD is a much more convenient and inexpensive option than a separate Windows computer. I would definitely have to leave any bank that decided to dictate my OS.
It’s nice to hear that some banks are looking at online banking security more seriously, but I won’t celebrate until they leave behind the webmail-level security. The dropdown list of public-record “security questions” is a dealbreaker for me.
Like or Dislike:
2 
0
There is a Mac version of Rapport and my bank (HSBC in the UK) strongly recommend it. From memory, the download link did detect that I was on a Mac and gave me the Mac version which I was pleasantly surprised by.
There is no Linux version or any other version at all.
Like or Dislike:
1 
0
I used Rapport for a little while but I found the large advertising icon in the Firefox menu bar annoyed me.
Well-loved. Like or Dislike:
16 
10
I accidentally checked dislike while I was trying to check Like.
Hot debate. What do you think?
6 
9
I voted “like” for you to even things out
Like or Dislike:
5 
2
Don’t want another piece of software attempting to interject itself into Windows functionality in order to monitor for possible malware. That’s what Antivirus is supposed to do and it’s NOT very good at it (reason why it should NEVER be used as a primary defense).
I try to LIMIT the software installed on my systems to reduce their attack surface while implementing a defense in depth strategy. Even with those defenses, the biggest one is sitting behind the keyboard.
Also, the frequent program updates raise some concern. Do they require admin to install? Does the program itself require admin to run?
This is a slippery slope for banks. I don’t want them dictating to me what software I need on my computers in order to use their online banking. If so, I’ll take my business elsewhere or stop online banking all together.
It is my responsibility to secure my end. I take that very seriously! Others would be wise to follow suit. It will only benefit them. Don’t rely on someone else to protect you.
Well-loved. Like or Dislike:
25 
5
On a windows os modern malware does not require an entry in the process execution table to run. In a similar vein they also do not need to invoke platform services through the api; they just need to locate the base address of the relevant loaded module (not hard even with ADSR) and execute microcode at a pre-known offset.
The net-net of this is that any protection software that *attempts* to intercept modern malware through api hooking or pet monitoring is entirely blind to what’s actually going on although it will help against vintage threats.
Wrt
Well-loved. Like or Dislike:
14 
4
When I first looked into this project it looked great.
In practice I don’t really see this as a viable long term solution. Its subject to almost the same issues that AV faces, with a few benefits. It also effectively trains your users to install unknown software from their banking website. I can’t say I care for the delivery mechanism, it creates a precedent of customers installing “security” software that they have little to no knowledge about.
That being said I like the idea that companies are beginning to assume the client is compromised and building their security around that staple. They have the right idea, and they are a company I will watch, but I am not sure this specific implementation is one I would purchase…
Well-loved. Like or Dislike:
13 
3
The thing that scares me about this is what this type of thing will do for application compatibility. I have seen numerous instances where some third party thing like this hooks into various executables, and breaks our software. Then we have to waste time debugging the thing and figuring out which 3rd party piece of crap is responsible, and then have our customer uninstall the thing.
Well-loved. Like or Dislike:
17 
2
Am not a PC geek but looked for reviews on Rapport as one of my banks offers it. Found gripes on difficulty in uninstalling Rapport. Uninstall is not described on trusteer.com. I’ve passed on it so far.
Well-loved. Like or Dislike:
6 
1
I don’t see why we should place much trust in the Rapport software. There are few technical details on how it works; mostly marketing-speak. There is no independent security evaluation by a technical security expert. What little information that is available sounds like Rapport is likely to offer rather weak security. Moreover, there are fundamental reasons to believe that this is, in the end run, a losing approach to the malware problem. Surely this can’t be the best advice we can offer to people doing online banking!
P.S. I would take the banks seriously if they started to offer to indemnify customers who used Rapport and got hacked, or if Trusteer offered to indemnify people who used their software. But obviously nobody is offering to do that; we’re supposed to take their word on it that it will help, but who knows? The incentives are not aligned here.
Well-loved. Like or Dislike:
24 
1
Unfortunately, it conflicts with Sandboxie.
http://consumers.trusteer.com/sandboxie
http://www.sandboxie.com/index.php?KnownConflicts#rapport
see also:
Trusteer Rapport And Sandboxie
http://www.wilderssecurity.com/showthread.php?t=267229
Well-loved. Like or Dislike:
10 
1
Brewt — thanks for the information. I wasn’t aware of that. Very useful.
Like or Dislike:
0 
0
My comment pertains to the last sentence of today’s article. I really enjoyed Brian’s tutorial on creating a LiveCD for Internet Banking. This past week, I have been working on creating a LiveCD that anyone can use without the fear of installing Linux on their Windows PC by mistake.
My opinion is that the LiveCD distro http://webconverger.org/ is the best LiveCD for Internet Banking. It worked better for Internet Banking than the other Linux LiveCDs that I tried.
I had no trouble going to my Internet Banking sites. I love that Flash is preloaded. It is so easy to use that my Mom could use it. To shut off Webconverger, I just had to press the power button. I love the fact that there is no way that a user could inadvertantly install Linux on their hard drive (Ubuntu, PCLinux and others with “install” options).
Other features of webconverger include a pdf viewer and shortcut keys: CTRL-+ and CTRL– for controlling the font size, CTRL-T and CTRL-W for creating and closing tabs, and CTRL-K to get to the search form, and CTRL-L for moving to the address bar.
There are many LiveCDs available but for one reason or another I could not recommend these LiveCDs. Ubuntu and PCLinux LiveCDs worked fine but I found the install options too risky. My attempt to customize my Ubuntu LiveCD wasn’t successful (I am still trying). Knoppix is a good LiveCD but it wasn’t as well suited for Internet Banking as webconverger. This LiveCD contained many tools that make it more complicated to use than Webconverger.
I am going to send a webconverger LiveCD to a few friends that use Internet Banking for their small businesses. I recommend that Brian’s readers check it out.
Like or Dislike:
5 
2
Looks nice! I tried using it from VMWare Player (used EasyVMX.com to make the VMX file) and it was very fast to launch. Maybe a good way to avoid man-in-the-(Windows-based)browser risks.
Like or Dislike:
1 
0
What is the size of the download? We have a medium speed Internet connection in a rural area, perhaps only 5-10 times faster than dial-up.
Thanks
Like or Dislike:
1 
0
Yes, I’ve the same download-speed issue so I went and looked and if I remember right, webconverger is ~227 MB while puppylinux is ~105 MB so I’m sticking with puppy. 2 puppy problems I ran into are Toshiba sound-chip softmodems won’t work with linux and couldn’t multi-session on a CD but have yet to try a DVD. A bit frustrating at times but I learnt a few things along the way and well worth the effort now that it’s working! I’ve also tried BitDefender’s Rescue Disk (~250 MB, think knoppix); it took a long time to boot and eventually hung up with a black screen so I gave up. It ain’t all roses. Bon chance!
Like or Dislike:
1 
0
The “best” anything is often fairly subjective. Personally, I prefer Puppy Linux, and have described how to set it up in:
http://www.ciphersbyritter.com/COMPSEC/PCSECBAN.HTM
Some of the cited webconverger advantages come with the Firefox browser which I also add to Puppy. Installing a range of add-ons can be helpful. For example, the “NoSquint” add-on will adjust both page and font size for each site, and use that when the site loads again. The security add-on “Safe” paints a colored border around a site display when SSL security has been established. “NoScript” provides multiple forms of JavaScript protection. And add-ons like “Certificate Patrol” and “Perspectives” actually support detection of man-in-the-middle attacks on SSL.
It is certainly true that Puppy Linux can be installed on a hard drive (although no hard drive is necessary) or flash drive, and both options would be wrong in a security context. But the Webconverger site says: “It is best to use Webconverger from an inexpensive USB stick…,” which is also wrong for security.
The big advantage that Puppy brings is the ability to write changed files to a new DVD “session,” and then load those files with the next boot. This update process allows Firefox, the add-ons, and everything else to be updated for improved security. Saving the new stuff is under control of the operator. We can prevent all unexpected DVD writes simply by removing the DVD immediately after boot. Puppy resides in RAM and does not access the DVD in use.
The deeper one gets into any of these packages, the more issues one finds. The Puppy I describe has many irritating problems. Just enough works to support a secure on-line environment, but that is all it takes. Actually using a system which does not allow updates seems almost unacceptable.
Like or Dislike:
3 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
1 
9
Paul — To answer your question, no, I didn’t get paid for this. I don’t do pay-to-play, and I don’t do sponsorships, unlike many other tech pubs that play in this beat.
Interesting that you thought this was a paid post somehow. I thought it was pretty fair. The truth is that the effectiveness of this tool likely depends on how much the banks pay attention to the information they’re getting from customers who are using it.
Well-loved. Like or Dislike:
16 
0
The lack of details provided for this product do seem at odds with the request to download it and use it for such a sensitive purpose. However, it seemed worth a try.
After playing with it a bit I see that I am able to protect any site by simply clicking on the Rapport arrow next to my address line. Wow! just like magic, I click on the arrow, it turns green and says I am now protected. It certainly has some marketing appeal.
While this tool may be a good layer banks should still assume that there customers are entering from malware infected machines and architect their applications accordingly. This type of requirement should find it’s way into every single RFP that banks send out for online banking applications.
Like or Dislike:
2 
0
If malware can walk in through the front door and hook into system APIs (that should be protected but of course are not – this is Windows) then it won’t take them long to figure out how to disable Rapport as well. More snake oil?
Like or Dislike:
0 
1
One of our banks in ZA recently pushed this software out. It is a seriously invasive program. The brief analysis I did of it on my Mac showed it deploying a keylogged and communicating back. My biggest worry was related to privacy. Given the software sends (for e.g.) lists of phishing sites visited back to the bank (via Rapport) how are they anonymizing non-sec related traffic?
Like or Dislike:
1 
0
I installed this when recommended by my bank. It appears to function as advertised but its too invasive in my opinion. It started telling me that my password program (password manager xp) is malware, then my antivirus program complained about it, its footprint is not small 43,000 k or more at times and the number of files / folders it creates in temp directory is not pretty. The interface if reasonably intuitive and I was able to make it work nicely with everything. But I decided to remove it watching its memory usage creep and seeing the reports when I realize its interaction with pretty well EVERYTHING I do. I don’t like the infringement in my privacy. Not easy to install either … you have to do it in safemode as the documented procedure through add remove programs did nothing.
Like or Dislike:
0 
0
Shoudl say UNINSTALL
… which I have done.
re:
Not easy to install either … you have to do it in safemode as the documented procedure through add remove programs did nothing
Like or Dislike:
0 
0
I installed Rapport on my computer and the next time I turned it on it wouldn’t work. It started up and let me log in, but as soon as Windows was completely open, it would say there was a problem with Windows (XP) and it had to close. I was unable to reinstall Windows and have taken it to a computer repair shop. Installing Rapport was the only change I made to my system prior to having this problem.
Like or Dislike:
0 
0
I lost money (cleaned out) after clicking on the Trusteer link on Standard Bank’s Login site. It seems that Trusteer was hijacked and used to perpetrate this crime.
I will never use it again!
Oh, and no feedback or contact from Standard Bank!!
Like or Dislike:
0 
0
I have a new Mac. I was told by Apple that I didn’t need anti virus software but I would like to install one that will be compatable with Mac and the Trusteer my bank asked me to download. My bank will not recommend any AV software, has anyone found a good one to work with Mac and trusteer?
Like or Dislike:
0 
0