'Rapport' Security

masonic

hpuse wrote: »

In my view, HSBC-UK is trying to cover the "big hole" in their security/authentication framework for IB transactions with this infamous piece of software rather than engineering and implementing new measures.
It is now a days so easy to obtain date of birth of a person (for e.g. company house files, council, GPs etc etc) and rest you need are just 3 digits to unlock all accounts grouped at one place.

The fallacy in that argument is that the sole purpose of Rapport is to prevent the login details you type into your computer being subverted or eavesdropped. Rapport has no effect on the strength of HSBC's login process whatsoever. If the weakness is that the credentials can be easily determined or guessed, then no security software running on the customer's PC is going to help with that unless it provides an additional layer of authentication, which Rapport does not.

To be honest, I agree the login procedure as you have described it is very weak, but having never banked with HSBC I'd assume at least that you cannot make a transaction to a new destination account without going through some further authentication. Is that not the case?

savetilibleed

masonic wrote: »

To be honest, I agree the login procedure as you have described it is very weak, but having never banked with HSBC I'd assume at least that you cannot make a transaction to a new destination account without going through some further authentication. Is that not the case?

My wife has an HSBC account and recently started to use it online. As a test she set up a destination account (me at LTSB) and could not even do so without sending money. SO she sent a nominal £1. On the other hand, with LTSB, when you set up a new payee you have to get authentication by nominating a contact phone number. This they phone, you answer and enter a 4 digit code you see on the screen into the phone to complete the payee setup.

StevieJ

I am still considering downloading this software, any chance of someone outlining (simply) what security this software provides, the only thing I am aware it does is stop you going to a phishing site, any other benefits? I know it has been discussed ad infinitum on here but I would just like a simple resume to help me decide. Thanks

atypical

There's a run down here:
http://www.trusteer.com/product/technology

StevieJ

masonic wrote: »

...except that the consequences of a failure in the https protocol would be borne by the bank, whereas the consequences of a failure in your encryption software would be borne by you (if the bank was able to discern what you were doing). As long as people are aware that there is a shift in liability away from the bank when their login details are processed by third party software, then it is quite rational to use encryption software that has been researched and determined trustworthy.

Would this be equally the case if you use Rapport software for web sites other than the ones who recommended you download it? I have installed this software and it seems pretty straightforward at the moment.

masonic

StevieJ wrote: »

Would this be equally the case if you use Rapport software for web sites other than the ones who recommended you download it? I have installed this software and it seems pretty straightforward at the moment.

That's a very good question. At this time it is not known that Rapport does anything with login details that would be in breach of any bank's T&Cs (the assumption would be that they are being stored locally using non-reversible encryption). That means if something went wrong you'd in a similar position as if you'd put your trust in any other reputable security software that ended up doing something wrong. It's hard to imagine any bank holding you responsible for using a product that seems to be held in quite high esteem within the banking industry at the moment. I think as the very worst case scenario, the Financial Ombudsman would have to side with you if one bank requested that you install the software and another held you responsible for the consequences. If that doesn't count as being treated unfairly, I don't know what does.

mutley74

I had to uninstall Rapport from my machine (xp) as it was taking ages to let IE load up and ages to surf. much better after i removed it.

cottager

A new thread reports Rapport NOT preventing a phishing attempt:
http://forums.moneysavingexpert.com/showthread.html?t=2351601
Thought the link should be here in the main thread.

masonic

cottager wrote: »

A new thread reports Rapport NOT preventing a phishing attempt:
http://forums.moneysavingexpert.com/showthread.html?t=2351601
Thought the link should be here in the main thread.

I can't say I'm particularly surprised by this. If a virus sinks its roots into your computer, it is on an equal footing with whatever security software you have installed. From there it is just down to a battle of wits between the two pieces of software. It is simply not possible to do internet banking safely on an infected machine.

I expect the poster on that thread would not have been fooled by this if Rapport wasn't installed on their machine. It just goes to show you can't let your guard down just because you think you're being protected by some peice of software running on your machine.

StevieJ

masonic wrote: »

I can't say I'm particularly surprised by this. If a virus sinks its roots into your computer, it is on an equal footing with whatever security software you have installed. From there it is just down to a battle of wits between the two pieces of software. It is simply not possible to do internet banking safely on an infected machine.

I expect the poster on that thread would not have been fooled by this if Rapport wasn't installed on their machine. It just goes to show you can't let your guard down just because you think you're being protected by some peice of software running on your machine.

Was that not a form of keylogging not phishing? i.e. could they not put an overlay onto your sign and get your id and password?