'Rapport' Security

G_M

Mr.Mulla wrote: »

I have been reading some good reviews on this software. It is actually great for online banking. It provides protection from online identity theft and online transaction protection which is usually not protected by some anti-virus softwares available. It does so by recognizing the attack while you are visiting your online banking website and prevents any spyware from stealing sensitive information. It also informs you of the attempt.

"I have been reading some good reviews on this software."
But if you read this thread, and indeed other threads on Rapport on this forum, you'll see some pretty dodgy comments, some from posters who seem technically clued up.

I wouldn't touch it.

joe134

G_M wrote: »

"I have been reading some good reviews on this software."
But if you read this thread, and indeed other threads on Rapport on this forum, you'll see some pretty dodgy comments, some from posters who seem technically clued up.

I wouldn't touch it.

Hi,I received advice today to download it from HSBC.After reading all this info I am very confused;There seems to be more against it than fo it, most of the in depth info went over my head and I reckon not to be thick.My oppinion only::: If I don,t download it am I disregarding the banks advice and leaving myself open to somesort of penalty, If I do download it and I have problems , who,s to blame. Your damned if you do and damned if you don,t.Unless I haven,t read all the blog right, then no one person has given a definitive yes it,s good or no it,s bad:It,s not a case of try it and see, as the ones who have and had trouble are left with trying to remove it and returning to the status quo.I think, if in doubt, do nowt?:(

tradetime

I'd expect, though who knows, unless a bank could prove itself in a court of law as a credible "internet security expert" (and I very much doubt any bank would want to go there) Then as long as you have taken what would generally be considered reasonable security precautions, ie running an up to date OS, fully patched, an updated anti virus system etc, using common sense personal security as in not clicking on links in e-mail to navigate to your bank, ensuring transactions take place on "https" pages, then choosing not to run their recommended security program would not be an issue. I don't run, afaik anyway, any individual bank recommended software and I don't intend to either.

There is probably no such thing as a "definitive yes it,s good or no it,s bad" when it comes to software because almost everyones computer software environment is different, and therefore any program could conflict with something you are already running on your system. One can only comment on what the program actually says it does, how effective this is in the grand scheme of things, and how well the program actually does it. None of this will guarantee it will be suitable for you.

joe134

tradetime wrote: »

I'd expect, though who knows, unless a bank could prove itself in a court of law as a credible "internet security expert" (and I very much doubt any bank would want to go there) Then as long as you have taken what would generally be considered reasonable security precautions, ie running an up to date OS, fully patched, an updated anti virus system etc, using common sense personal security as in not clicking on links in e-mail to navigate to your bank, ensuring transactions take place on "https" pages, then choosing not to run their recommended security program would not be an issue. I don't run, afaik anyway, any individual bank recommended software and I don't intend to either.

There is probably no such thing as a "definitive yes it,s good or no it,s bad" when it comes to software because almost everyones computer software environment is different, and therefore any program could conflict with something you are already running on your system. One can only comment on what the program actually says it does, how effective this is in the grand scheme of things, and how well the program actually does it. None of this will guarantee it will be suitable for you.

Hi Tradetime, I tend to agree with all you say. I reckon to be over cautious, if one can be, have all you reccommended on my comp, secunia et.al. always update, so I think I will leave well alone and hope , touch wood, not tempting fate, that I do not require Rapport or the troubles it seems to have caused others.It,s a subjective item as you say, I think the banks are using it to shift the liability from them to us, as the chip and pin saga.I will review the situation as it proceeds.Thanks

StevieJ

oldfella wrote: »

I run it inside a sandbox to do my banking

Is a sandbox the same as liveCD ?

http://en.wikipedia.org/wiki/Live_CD

Trusteer

All,
We wanted to address the issues and concerns expressed in this thread and provide some more information on what we do.

Rapport is currently running on more than 2.5 million computers in the UK alone and is being actively promoted by several UK banks including RBS, NatWest, Alliance & Leicester, and HSBC.

What does Rapport do?
The general idea is to prevent malware from interfering with your online banking session. There are a few technologies we use for that. The main ones are:

• Blocking code injection into the browser: this is how most financial malware access login information and transactions. They inject their own code into the browser’s process and operate from within the browser. Basically Rapport constantly monitors for any attempts made by other processes to inject code into the browser and blocks unauthorized code injections
• Blocking browser add-ons from accessing sensitive information during a session with the bank
• Encrypting keystrokes from the keyboard driver to the browser to prevent keyloggers from logging sensitive information
• Authentication of the IP address and the SSL connection of the bank before connecting the browser to the bank to prevent DNS attacks

Issues mentioned in this thread:

1. Uninstall issues: approximately one in 750 Rapport uninstall attempts may fail when you try to do this through the add/remove option in the control panel. The cause for the uninstall failure are locked files due to some of the self protection mechanisms that Rapport uses. In order to prevent malware from tampering with it Rapport protects its files, registry keys, and processes from being removed. In some scenarios this could interrupt the removal process especially if some files on the computer are damaged. The user guide (can be accessed from the console->user guide) explains two escalation options: the first is to remove in safe mode. The second is to use a removal utility available for download. Both options should successfully remove the software. Unfortunately this is a tradeoff between security and usability. You won’t run into this with other pieces of software as they don’t try to protect themselves. However you may run into this with other security software as well.

2. Synchronization tool won’t start: this was fixed in version 911, released 3 months ago. The cause for this problem as rightfully stated is the self protection mechanism which prevents unauthorized removal or change to Rapport’s registry keys. Once the issue with Lightscribe has been identified we created a fix that allows it to function properly. Unfortunately while we constantly test against hundreds of software products we can’t reach them all and interoperability issues might affect some users with products we haven’t seen before. We’re keen to address these ASAP and are thankful to anyone who shares this information with us.

3. Blocking processes from taking screen shoots: Rapport does block processes from taking screen shots of protected websites. Note that this doesn’t mean the process is malicious as even good processes can take screen shots as part of the way they repaint their windows. Rapport is not blocking these processes from operating or functioning – only from taking screen shots of protected web pages. If the process is legitimate this should have no affect over its functionality even if you see these events in the log. If you don’t want Rapport to provide this protection you can access the console->edit policy and set this function to “never”

Lastly, even though the product and all our support services are completely free, we’re very committed to provide quick and accurate resolutions. As part of our commitment to the banks we work with we’re are available 24x7 on email, chat, and phone and when a customer is having issues and find it hard to resolve we will offer remote support services, as mentioned in one of the posts.
We welcome any additional feedback and greatly appreciate the community’s opinion and advice .

We will continue monitoring this thread in case you have any further questions.

Thank you all
Trusteer Support

Gymgenius

First Direct are sending messages to users advising they download this software.

Psychonaut

Trusteer wrote: »

We wanted to address the issues and concerns expressed in this thread and provide some more information on what we do.

[…]

We welcome any additional feedback and greatly appreciate the community’s opinion and advice .

We will continue monitoring this thread in case you have any further questions

Thanks for coming to this forum to address our questions. It appears that some banks are now requiring their customers to install and use Trusteer Rapport as a condition of accessing their online banking service. I was wondering, then, if you could let me know whether you make available the full source code and compilation instructions for your software. Undoubtedly many users are not comfortable installing third-party proprietary software on their systems, and prefer to examine software to make a personal determinations as to its efficacy and as to whether it compromises one's security and privacy. I know that on your website you bill your software as secure and as not sending any confidential information, but what assurance do we have, besides your own claims, that this is true? How can anyone be sure that your software properly does what it claims to do (and no more) unless we are able to examine its operation for ourselves, or (for the less technically inclined) ask a trusted security programmer to do so for us?

Trusteer

Psychonaut wrote: »

Thanks for coming to this forum to address our questions. It appears that some banks are now requiring their customers to install and use Trusteer Rapport as a condition of accessing their online banking service. I was wondering, then, if you could let me know whether you make available the full source code and compilation instructions for your software. Undoubtedly many users are not comfortable installing third-party proprietary software on their systems, and prefer to examine software to make a personal determinations as to its efficacy and as to whether it compromises one's security and privacy. I know that on your website you bill your software as secure and as not sending any confidential information, but what assurance do we have, besides your own claims, that this is true? How can anyone be sure that your software properly does what it claims to do (and no more) unless we are able to examine its operation for ourselves, or (for the less technically inclined) ask a trusted security programmer to do so for us?

[FONT=&quot]Hi,
[/FONT]
[FONT=&quot]First of all, thanks for your comments and interest. [/FONT]

[FONT=&quot]We’re not aware of any bank that currently insists on their customers using the Rapport software, although at the end of the day it’s up to each bank to decide how they implement it.[/FONT]

[FONT=&quot]Whilst we understand your concerns, we could never make the source code available. Rapport is not an open source product and as such we would never make the code public. This is the same policy as any of the other desktop security vendors. [/FONT]

[FONT=&quot]The Rapport software is the soul of our business and we do everything humanly possible to ensure that it is the best product of its kind. We are always mindful of the responsibility that we have for protecting peoples online banking sessions and would never do anything to jeopardise this. [/FONT]

[FONT=&quot]I hope this answers your questions. [/FONT]

[FONT=&quot]Thanks[/FONT]

[FONT=&quot]Trusteer Support[/FONT]

Psychonaut

Trusteer wrote: »

[FONT=&quot]We’re not aware of any bank that currently insists on their customers using the Rapport software[/FONT]

[FONT=&quot]That is good to [/FONT]hear. Given your subsequent comments, I hope that use of your software continues to be optional. My own bank, first direct, is about to roll out Rapport, and I have written to them asking whether they intend to make its use mandatory.[FONT=&quot]

Whilst we understand your concerns, we could never make the source code available. Rapport is not an open source product and as such we would never make the code public.

So in other words, no, users of your software have absolutely no assurance, other than your own claims, that your software is effective, secure, and respects the privacy of their personal data.[/FONT]

[FONT=&quot]This is the same policy as any of the other desktop security vendors.[/FONT]

[FONT=&quot]I hope that this blatantly false statement is the result of your ignorance rather than a deliberate attempt to mislead. There are many, many vendors of security tools who make their source code fully available and actively solicit public scrutiny of it.[/FONT]
[FONT=&quot]

The Rapport software is the soul of our business and we do everything humanly possible to ensure that it is the best product of its kind.

It seems rather self-evident to me that the best way of ensuring that a particular product is the best of its kind is to be honest and open about its workings, and to invite scrutiny and commentary by its users and by independent experts.[/FONT]