Skip to main content

Trusteer's Response to Issues with Rapport

I have been getting a lot of hits on this blog relating to Trusteer's Rapport, so I thought I would take a better look at the product. During my investigations, I was able to log keystrokes on a Windows 7 machine whilst accessing NatWest. However, the cause is as yet unknown as Rapport should be secure against this keylogger, so I'm not going to share the details here yet (there will be a video once Trusteer are happy there is no further threat).

I have had quite a dialogue with Trusteer over this potential problem and can report that their guys are pretty switched on, they picked up on this very quickly and are taking it extremely seriously. They are also realistic about all security products and have many layers of security in place within their own product. No security product is 100% secure - it can't be. The best measure of a product, in my opinion, is the company's response to potential problems. I have to admit that Trusteer have been exemplary here.

Why do I keep saying it's a potential problem when I have logged keystrokes? Well, under normal operating conditions this isn't possible with the keylogger used. Most home users won't have a machine set up like the test machine in this case.

Trusteer have also pointed out that keyloggers are not the main threat facing the banks at the moment and are of less use now than in the past. Rapport has several layers of security protecting the machine beyond keyloggers and blocking screen capture. One of he major plus points about Rapport is their anti-phishing and anti-pharming technologies. Although, again, these aren't perfect, it's better than nothing.

I don't agree totally with Trusteer here though. The problem with being able to log typed characters comes back to weak passwords and single-factor authentication. In this case, NatWest seem to require a customer ID, consisting of the user's date of birth and a 4 digit ID in the format ddmmyyxxxx, a 4 digit PIN and only a short password. Now, they will let any Customer ID through in this format whether it's valid or not (good from a security point of view as you don't know if you've got a valid Customer ID or not). However, clearly they allow 6 character passwords and then ask for three of them. So with one capture I can have 3 out of 4 PIN digits and half the password. We know people choose weak passwords that can be guessed. This becomes a crossword puzzle to make a 6 character password given three known characters. I would agree with Trusteer that keyloggers and screen capture shouldn't be a problem now, but it still is, as the banks cling onto simple username and password authentication, often with poor password policies.

If the banks move to 2-factor authentication and one-time passwords then most of this would be redundant, and Trusteer could concentrate on pushing us off to the correct site to avoid phishing and pharming attacks. Of course, these will become even more prevelant and sophisticated. Technology can't stop this alone, it has to be coupled with user education. Screen capture can still cause problems with strong authentication solutions, such as those using images or on-screen grids to generate one-time passwords.

So, what's the bottom line? Since my earlier posts, Rapport has come a long way with compatibility, etc. The tone of the marketing has also changed for the better and is more realistic (although some of the 44 partner banks could be doing more). So Rapport could be an additional layer of security to protect you, but you will still have to be vigilant. You must have an up-to-date, legitimate anti-virus/anti-malware product, firewall protection, tight controls on your browser and a cautious and skeptical approach to all communiations and links. Without these, Rapport isn't going to help you anyway.

Edit: video in later post - Keylogging Trusteer's Rapport

Comments

  1. Hi Luke,
    One thing I dont understand is, why dont the browser do the job itself, rather than need to install this plug-in?
    Thanks

    ReplyDelete
  2. In some ways the browsers do help, if the organisation has used an EV SSL Certificate (Extended Validation), as the browser bar will go green and you can check that it is the expected site. However, how many people actually check the certificate of the site they're visiting? The most they'll do is check for a padlock, but this could be any site, that just says that the link is encrypted.

    What Rapport tries to do is check this for you and change to the real site if this isn't the right one. What it also tries to do is protect you from Trojans (which your anti-malware and sensible browsing habits should have stopped from infecting your machine in the first place) and injection attacks. Unless a browser is familiar with the site you’re navigating to, it can’t really stop injection attacks, as it doesn’t know what should have been there in the first place. One ‘simple’ way round this would be to add a digital signature to each web page and have the browser automatically check it – not infallible, but extremely hard to circumvent if properly implemented.

    ReplyDelete
  3. I downloaded Trusteer Raport on the advice from my Bank, only to have it crash Safari. Safari just would not operate. Used Time Machine to clear the system of Rapport, and all was OK. Spoke to Trusteer about the problem, and was told that they are working on it for Mac.
    The situation now is that I again downloaded Rapport, happy to report no further problems with Safari, but Rapport only works when the computer is on, and has to be downloaded every time that I want to access the Bank site. Just a bit tedious!

    ReplyDelete
  4. I have also had problems with my Windows 7 computer becoming very sluggish after installing Rapport, I have uninstalled it and now have no probems.
    The other problem with this approach is it is confusing for users, we shouldnt have to be researching downloading installing/uninstalling extra bits of "securit" software, that may themselves offer additional security holes for all we know.
    If the banks think that there is a software fix to a current security issue I believe they should work with current security software companies to provide this, so users do not have to decide whether to install another (possibly incompatible) piece of security software.
    Personally I think a much better solution is dynamic (one-use)passcodes created by the users bankcard. Eg Visa Codesure:
    http://www.computeractive.co.uk/computeractive/video/2267120/first-looks-visa-codesure

    This would be pretty invulnerable to malware. the only question i have is if someone gets hold of your card they might be able to see which numbers on the keypad are the most worn, and be able to guess the PIN. which they could then use in a cash machine for example.

    ReplyDelete
  5. I can’t really comment on the performance of your machine other than to say every extra bit of security on your system will have an impact on performance (although each one shouldn’t be significant on its own). With regards to security holes of Trusteer’s Rapport – no software can be 100% secure. However, I am reasonably convinced that Rapport doesn’t introduce any additional security holes and I have tested it.

    Current security software companies (I assume you mean AV providers) don’t focus on the specific threats that banks face and don’t necessarily react quickly enough. Also, these AV products are not as secure as you might think. Actually, they probably let through more malware than Rapport in certain circumstances. Have a look at my post on ‘How secure is your AV Product?’ Signature-based products will always be susceptible to engineering malware to evade detection – I can try it against all the major vendors before I release it and recompile until they don’t detect it. Rapport works in a different way, by blocking access to drivers, etc., rather than trying to detect the malware. I have spoken to Trusteer’s CEO and they are very committed to shutting down the malware authors and botnets. Unfortunately, the criminals have deeper pockets than the security companies.

    Finally, neither the SmartCards banks use nor their One-Time Passcodes are totally secure. Cards can be cloned, despite what the banks say. Also, a one-time passcode is still susceptible to a Man-In-The-Middle attack, so I can inject any traffic and additional transactions I want into your session for a start. They also don’t stop me from publishing a phishing or pharming site. I can just accept any response ‘one-time passcode’ from you without having to understand it. Also, the passcodes that the banks use are predictable and any keypad can be used with your card, not just the one they sent you. These codes also don’t stop me from being able to capture screenshots of your bank details and transactions or keystrokes. In fact, if I recorded your online banking session I could probably get enough information to impersonate you to your bank.

    One final note about the PIN on your card, you don’t need it to make transactions on that account (I also don’t need your PIN if I clone your card).

    ReplyDelete

Post a Comment

Popular Posts

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post . How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't real

How Reliable is RAID?

We all know that when we want a highly available and reliable server we install a RAID solution, but how reliable actually is that? Well, obviously, you can work it out quite simply as we will see below, but before you do, you have to know what sort of RAID are you talking about, as some can be less reliable than a single disk. The most common types are RAID 0, 1 and 5. We will look at the reliability of each using real disks for the calculations, but before we do, let's recap on what the most common RAID types are. Common Types of RAID RAID 0 is the Stripe set, which consists of 2 or more disks with data written in equal sized blocks to each of the disks. This is a fast way of reading and writing data to disk, but it gives you no redundancy at all. In fact, RAID 0 is actually less reliable than a single disk, as all the disks are in series from a reliability point of view. If you lose one disk in the array, you've lost the whole thing. RAID 0 is used purely to speed up dis

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most