'Rapport' Security

savetilibleed

I had another go at installing Rapport after first removing every trace of previous installations or references, including from the registry (never too happy about doing that). Result, it failed to run. So again I used their SafeUninstall utility and went to Safe mode to delete folders. I expect there is bits left in the registry again now and there are folders and files in such places as Documents and Settings\user\application data. So it looks like I'm going to need direct help from Trusteer as they offered. Umm tomorrow maybe.

masonic

ChiefGrasscutter wrote: »

The other reason open source software is regarded by some as "more secure", particularly the encryption programs, is that commercial software sometimes has undocumentated and unknown "backdoors" into it.
Some time ago Quicken was discovered to have one such secret backdoor to enable then (for a fee no doubt) to unlock users files when the customer had forgotton the password.
Sometimes these backdoors are put in at the request of governments (and such suspicions were raised over the Quicken issue) hence users somewhat nervousness about relying on official/approved/recommended commercial programs where it is not clear what they exactly do or might do.

I can certainly tell you that when I wrote engineeering programs many years ago I always put secret backdoors into them for me to use - all undocumented of course.....

That is a good point. What people should ask themselves when considering using software that protects personal data is: who do I want to prevent from accessing this data? If the answer to that question is 'everyone', then clearly propietary software is going to pose these issues. By entrusting data to such a program, you are effectively entrusting it to the author. In the same way a trusted person could share your data with other people or carelessly leave it for others to find, a computer program could do the same.

In the case of Rapport, you could argue that Trusteer is acting as an agent of your bank and perhaps infer that it is at least equally competent and trustworthy. This will be the position of the average online banking user. Sophisticated users who have a good understanding of security and privacy are more likely to be sceptical and concerned. If they take appropriate care on the internet, Rapport is probably not going to offer very much to those users.

Personally, I've dabbled with it out of curiosity (opting out of the statistics reporting mode, which can be done at installation), but I can't really justify it sitting there occupying 40MB of memory so I don't think it will last long on my system. However, I know many people who would easily get caught out by phishing attacks etc and for these people, something like Rapport would be beneficial.

masonic

hpuse wrote: »

* Rapport is a browser plug-in (a bunch of DLLs that gets installed and loaded when the browser starts)
* Rapport installs a windows service to 'monitor' its own file system integrity

Yes and yes. The windows service can also scan through the software installed on your computer, check the status of windows update etc.

* Instead of using public/ISP DNS, Rapport streamlines TCP/IP traffic via its own servers to their clients IP addresses.

As I understand it, Rapport checks the IP addresses of protected sites, but as far as I can tell it doesn't subvert any traffic though its own servers. Although I could be wrong about that...

joe134

Trusteer wrote: »

[FONT=&quot]Hi, [/FONT]

[FONT=&quot]First of all, thanks for your comments and interest. [/FONT]

[FONT=&quot]We’re not aware of any bank that currently insists on their customers using the Rapport software, although at the end of the day it’s up to each bank to decide how they implement it.[/FONT]

[FONT=&quot]Whilst we understand your concerns, we could never make the source code available. Rapport is not an open source product and as such we would never make the code public. This is the same policy as any of the other desktop security vendors. [/FONT]

[FONT=&quot]The Rapport software is the soul of our business and we do everything humanly possible to ensure that it is the best product of its kind. We are always mindful of the responsibility that we have for protecting peoples online banking sessions and would never do anything to jeopardise this. [/FONT]

[FONT=&quot]I hope this answers your questions. [/FONT]

[FONT=&quot]Thanks[/FONT]

[FONT=&quot]Trusteer Support[/FONT]

Hi, I have replied to HSBC regarding their recommendation to download Rapport, about the problems highlighted here.And I e-mailed Trusteer, both replied with thesame format, how good it is, Trusteer, did refer direct about my specific s, uninstalling if unhappy, etc, But HSBC did not, I asked specifically,Do I have to download it, and If I don,t will it affect my terms and conditions? THey did not refer to any of these issues. WHY? As good as it maybe, I have yet to decide whether to use it, WHO S benefit is it for, I think the banks.another get out clause,if any thing happens , they will not pay,, when all banks have got customers using it, how long before it becomes a paid for service, we are not dealing with altruistic institutions here.They play the long game.My main concern is the removal of it if disatisfied, I use all means possible to ensrure security, but know I am not 100% secure, if Rapport gives me that bit extra, without problems, then I would try it, but this blog leaves me very sceptical

Trusteer

masonic wrote: »

As I understand it, Rapport checks the IP addresses of protected sites, but as far as I can tell it doesn't subvert any traffic though its own servers. Although I could be wrong about that...

Hi,

This is correct. Trusteer doesn't subvert any web traffic through it's servers.

Trusteer Support

grnglide

Psychonaut wrote: »

Undoubtedly many users are not comfortable installing third-party proprietary software on their systems, and prefer to examine software to make a personal determinations as to its efficacy and as to whether it compromises one's security and privacy. I know that on your website you bill your software as secure and as not sending any confidential information, but what assurance do we have, besides your own claims, that this is true? How can anyone be sure that your software properly does what it claims to do (and no more) unless we are able to examine its operation for ourselves, or (for the less technically inclined) ask a trusted security programmer to do so for us?

Strange how the Government's recommended encryption software for Government Departments protection of restricted email etc is PGP (Pretty Good Privacy) which is much more than "Pretty Good" and is chosen, amongst reasons, because it is open source so that outside experts can inspect the code to ensure it has no weaknesses, back doors etc!

Assuming "everyone" has an up to date security package on there PC (and we all know this isnt true!) then the next most important measure IMHO is to use a product like KeePass to generate and store strong and safe passwords. Banks provide the facility to store part of the credentials (the log in name) to "save you from having to input it" and also encourage people to download this software which, IMHO, is more to do with giving the customer a "warm feeling" than true security.

If it aims, amongst other things, to prevent keyloggers KeePass provides this facility when supplying passwords using AutoType and using drop down lists (LLoyds TSB do this) or a "virtual keyboard" (as ICICI do) defeats keyloggers anyway.

HSBC choose to use neither of these techniques so a keylogger "could" capture the credentials but would need to capture details of several logins and the text of the screen which is not typed to determine which three characters of the PIN are being input.

The first rule is use safe passwords and never share the same password between two sites. It requires discipline and use of a KeePass type product with an ultra strong password to do this.

A&L have a system whereby they identify themselves as genuine by displaying a custom picture and message part way through the log in process - if all banks did this hijacking DNS etc would not be kind of risk that Rapport is trying to defeat!

tenner

hpuse wrote: »

Ended up here from google - since I did not get the hang of this 'security technology' as such reading First Direct's secure mail (which gets swiftly deleted when you blink !).

First Direct's message (I make a habit of copying before closing these messages - I agree it is downright stupid that they are not saved in some sort of inbox):

Your Internet Banking log on details are valuable to criminals who are always looking for new ways to try to get hold of them, and it can be difficult to know if you are fully protected. That's why we are teaming up with the financial security experts at Trusteer to bring you their Rapport security software, which will:

- help protect your Internet Banking log on details from prying eyes by securing your connection
- notify you if you've mistakenly navigated to a fraudulent website
- work alongside your existing anti-virus software and firewall
- quickly install with no need to restart your computer.

As soon as Rapport is available, we will present you with a new screen when you go to log on to Internet Banking. This will contain a link to allow you to download the software free of charge. We'd like you to download and install it when prompted.

It will only take a few minutes but it will provide you with enhanced protection when using Internet Banking and help to give you additional peace of mind.

Hopefully FD won't make this compulsory. MSE won't let me post a link yet, but googling "Rapport mac issues" shows some worrying problems with this software screwing up the rest of the system. Any software that is capable of doing this when it should be restricting it's field of influence to the browser it is running in is bad news.

joe134

grnglide wrote: »

Strange how the Government's recommended encryption software for Government Departments protection of restricted email etc is PGP (Pretty Good Privacy) which is much more than "Pretty Good" and is chosen, amongst reasons, because it is open source so that outside experts can inspect the code to ensure it has no weaknesses, back doors etc!

Assuming "everyone" has an up to date security package on there PC (and we all know this isnt true!) then the next most important measure IMHO is to use a product like KeePass to generate and store strong and safe passwords. Banks provide the facility to store part of the credentials (the log in name) to "save you from having to input it" and also encourage people to download this software which, IMHO, is more to do with giving the customer a "warm feeling" than true security.

If it aims, amongst other things, to prevent keyloggers KeePass provides this facility when supplying passwords using AutoType and using drop down lists (LLoyds TSB do this) or a "virtual keyboard" (as ICICI do) defeats keyloggers anyway.

HSBC choose to use neither of these techniques so a keylogger "could" capture the credentials but would need to capture details of several logins and the text of the screen which is not typed to determine which three characters of the PIN are being input.

The first rule is use safe passwords and never share the same password between two sites. It requires discipline and use of a KeePass type product with an ultra strong password to do this.

A&L have a system whereby they identify themselves as genuine by displaying a custom picture and message part way through the log in process - if all banks did this hijacking DNS etc would not be kind of risk that Rapport is trying to defeat!

Hi, HSBC, only ask for DOB+certain numbers of 6 digit pin.which to my knowledge cannot be changed without phoning them, DOB is unchangable ,I have asked for more secure login details to no avail.You do not even enter the IB number on a secure site.so all I rely on is DOB+ 6 digit pin, really it,s only the pin number that they need, DOB can be obtained using various means.Not even letters in pin.Hardly secure is it? If anyone knows different I for one would like to know.Rapport on reading it offers a panacea to logging in,especially key loggers, but , as this site proves, it,s only another hurdle, and a problematic one for the likes of me, et al, if it corrupts my system up.

joe134

joe134 wrote: »

Hi, HSBC, only ask for DOB+certain numbers of 6 digit pin.which to my knowledge cannot be changed without phoning them, DOB is unchangable ,I have asked for more secure login details to no avail.You do not even enter the IB number on a secure site.so all I rely on is DOB+ 6 digit pin, really it,s only the pin number that they need, DOB can be obtained using various means.Not even letters in pin.Hardly secure is it? If anyone knows different I for one would like to know.Rapport on reading it offers a panacea to logging in,especially key loggers, but , as this site proves, it,s only another hurdle, and a problematic one for the likes of me, et al, if it corrupts my system up.

PS, I have just gone to download Rapport from HSBC unsecure site, How do I know, apart from checking webpage, that I am downloading genuine Rapport?

Trusteer

joe134 wrote: »

PS, I have just gone to download Rapport from HSBC unsecure site, How do I know, apart from checking webpage, that I am downloading genuine Rapport?

[FONT=&quot]Hello,

You can access the HSBC download page normally and then click the download button.

When Windows starts to download Rapport it authenticates the installation file which should be signed. You should see a message from Windows that identifies the name of the product (Rapport) and the name of the vendor (Trusteer). In the event that Windows fails to authenticate the file and says that the vendor is unknown then cancel the download.

These are common security practices that you can use whenever downloading software over the net.

Trusteer Support

[/FONT]