'Rapport' Security

masonic

For those people interested, Rapport was covered in a recent Security Now podcast episode and it was actually given quite a glowing review:-

http://www.grc.com/sn/sn-220.txt

LEO: Question 2, Paul in London, Ontario, Canada wonders about making online banking safer. He says: Hello, Steve and Leo. Long-time listener. Love the show. You both are doing a great service, and I appreciate your podcast every week. Thank you very much, Paul. My question is my bank is offering a program called Rapport by Trusteer to help protect my online banking transactions. I was just wondering if you have any information you could share about the program, and if it's needed when I do my online banking. It raises the question of why is my bank offering this? Don't they think their security measures are enough? The bank I use is President's Choice Financial in Canada. Thanks in advance if you use my question on the show. You guys are great...

<snip OT digression>

STEVE: ...this Rapport by Trusteer is something I've run across a few times. And it's interesting. It's an alternative to what we've been talking about. We've been talking about the fundamental problems of the browser and server security. So this Trusteer is a company that's a third-party offering that hardens browsers on behalf of their clients. In this case their client is the bank. So the bank offers this Rapport service. And essentially it is a plug-in, a toolbar that you add to your browser. And what it does is it basically does everything they can think of for hardening your browser.

For example, it's very much like sort of now we have in the most recent browsers we've got private browsing where history of the things we do are not left behind on the machine. Nothing is written to the hard drive or into the file system, but it's kept in RAM. They actually - they have some DNS hardening technology so that you're not prone to DNS spoofing. They don't go into great technical detail about what they've done. But they make it very clear that they understand that the openness of the APIs in our contemporary browsers, which is what allows toolbars to know where you're visiting and what you're typing, you know, those kinds of APIs are being leveraged by hackers in order to gain access to what you're doing.

So this is a very good thing. This is something, when Paul asks why is my bank offering this, don't they think what they're doing is enough, I would argue that the bank recognizes they don't have the kind of control over the other end of their connection. They can have a super-secure server and have their end all bolted down really well. But if the user's got malware in their computer that's doing keystroke logging and things, basically the bank is having to rely upon the integrity of the browser which they're using to interface to them. So I like this idea. Instead of, for example, the bank developing their own wacky individual application to talk to them, they're saying, okay, we're going to use a third party who's got all the technology, bringing this technology to the table of hardening the browser. So I think it's a great thing. And they've got a whole bunch of banks that are lining up behind them and using this technology. So...

LEO: This is good. I didn't realize when you mentioned it. This sounds like something really good.

STEVE: Yes. I mean, this is a beautiful reaction to the fundamental problem that we've been talking about for the last couple weeks of the whole browser model just being prone to abuse. And so these guys are coming along and saying, okay, we're going to - they use words like "vault" and so forth to say we're not letting your data escape through the browser APIs, where the openness of the API is normally something that allows you to leverage the power of the browser, because in this case you don't want openness. You want this thing to be closed and bolted down while you do banking. And so this is an add-on for browsers. I think it sounds great.

LEO: Yeah, I'm kind of a fan of sticking to your knitting. And if somebody's really good at security, they become the people who do it; right?

STEVE: [Laughing] Sticking to your knitting.

LEO: Sticking to your knitting. The bank should do what it does best. Every bank cobbling a solution together is not a good idea. I think you're exactly right.

STEVE: Exactly.

LEO: And then we only have to vet one solution and feel secure with that.

STEVE: Yup.

LEO: That seems like a good way to go.

spenderdave

I also read my HSBC on-line message. I remain as sceptical as many on this thread. Rapport may well be a good thing for Mr. Average who seems to click on anything and is taken in by phishing emails. But for somebody who is pretty conversant with their computers and security, doesn't visit nasty sites, and more importantly doesn't use the two evils of Internet Explorer and Outlook Express it is just another thing on your computer sitting there doing nothing but using resources.

I have Avast AV on my XP machine but it has never ever found anything and I don't think it ever will. Spam is deleted by Avast, I browse with Opera (although I have to use Foxit for HSBC banking because of various compatibility issues) and Pegasus Mail for email. No Adobe reader (I use Firefox) although I do have Flash Player (and HSBC have a flash movie on their homepage...). Never ever been infected with anything...

I hope the suggestion this will never be made compulsory is true. You should also note that HSBC offer MacAfee for download, another program which some people refuse to have anywhere near their machines.

mutley74

The only security software i use is Microsoft Sec Essentials. Do i need to use Rapport? As no other online bank recommends this?

masonic

mutley74 wrote: »

The only security software i use is Microsoft Sec Essentials. Do i need to use Rapport? As no other online bank recommends this?

What version of Windows are you running? Do you log in to an Adminstrator or Limited User account? Do you connect to the internet through a router or a modem? Do you ever click links in e-mails? Do you always check the security certificate of online banking sites before logging in?

mutley74

masonic wrote: »

What version of Windows are you running? Do you log in to an Adminstrator or Limited User account? Do you connect to the internet through a router or a modem? Do you ever click links in e-mails? Do you always check the security certificate of online banking sites before logging in?

Windows version: XP on desktop and Win7 on laptop
Internet connection : yes wired and wireless connections

Clicks: no unless its a trusted link, but never bank links

certificate chech: where do you check this?

Staib

mutley74 wrote: »

The only security software i use is Microsoft Sec Essentials. Do i need to use Rapport? ....

I use the above MSE, and Rapport as well, and think of it as 'belt and braces'. And if you really don't get on with it, you can always remove it. It just seems sensible to be protected from zero-day exploits as well as known viruses...

/googler - just to clarify, no, this is not an official HSBC or first direct statement, these are my personal views, but because of where I work I do know what I am talking about (most of the time). As david78 and popmacca kindly suggested I was just trying to clear up what sounded like some misunderstandings...
Have a good weekend all :beer:

masonic

mutley74 wrote: »

certificate chech: where do you check this?

As david78 posted earlier in the thread, you can just click the site icon to the left of the address bar. Most banks use extended validation certificates - for an example, see the graphic at http://en.wikipedia.org/wiki/Extended_Validation_Certificate.

If you always check these certificates, don't trust email links, run as a limited user whenever possible and access the internet from behind a router/firewall (with WPA encryption for wireless connections), then the risk of your internet banking details being stolen is already very low. Installing Rapport might reduce the risk a bit further, but it is as Staib says, 'belt and braces', rather than a neccessity.

joe134

masonic wrote: »

As david78 posted earlier in the thread, you can just click the site icon to the left of the address bar. Most banks use extended validation certificates - for an example, see the graphic at http://en.wikipedia.org/wiki/Extended_Validation_Certificate.

If you always check these certificates, don't trust email links, run as a limited user whenever possible and access the internet from behind a router/firewall (with WPA encryption for wireless connections), then the risk of your internet banking details being stolen is already very low. Installing Rapport might reduce the risk a bit further, but it is as Staib says, 'belt and braces', rather than a neccessity.

Hi, Masonic, can you just expand on this, I just tried it with HSBC, nogo. Must be clicking wrong place.I use WOW, have nevervtried authentication cert.would like to.appreciate it if you would tell me in lay terms how. thanks

masonic

joe134 wrote: »

Hi, Masonic, can you just expand on this, I just tried it with HSBC, nogo. Must be clicking wrong place.I use WOW, have nevervtried authentication cert.would like to.appreciate it if you would tell me in lay terms how. thanks

You need to be on the login page of the site in question (which should start https://...). I've only got experience of Firefox, IE and Opera: Firefox places a green bar to the left of the address bar with the name of the company. You can click this bar to check the details. For IE and Opera, the validation bar is on the right of the address bar. For other browsers you would need to check the help files to find out what you need to do in order to bring up the certificate details.

Edit: I've just checked HSBC. The page where they ask you to enter your user ID is not secure - therefore you cannot check the site is genuine until after you click submit. Shame on you, HSBC! Almost every other bank gets this right.

joe134

masonic wrote: »

You need to be on the login page of the site in question (which should start https://...). I've only got experience of Firefox, IE and Opera: Firefox places a green bar to the left of the address bar with the name of the company. You can click this bar to check the details. For IE and Opera, the validation bar is on the right of the address bar. For other browsers you would need to check the help files to find out what you need to do in order to bring up the certificate details.

Edit: I've just checked HSBC. The page where they ask you to enter your user ID is not secure - therefore you cannot check the site is genuine until after you click submit. Shame on you, HSBC! Almost every other bank gets this right.

Thanks Masonic, I posted the log in situation on this thread couple days ago, asked HSBC. You enter IB number on unsecure site, mad.Put this Rapport on, so far so good, picked up on couple of updates, although I have Secunia, Adobe flash.1.See how it goes, thanks again, I,ll check it out