NATWEST online banking - rapport safety software not so safe

bibise25

I just cannot believe this. I use rapport everyday and this is really frightening. Knowing this has put me on guard now.

Thanks chris-wales

Andystriker

If the OP had continued and then had his account(s) emptied, would Nat West have stood the loss?

cottager

Just twigged Chris... so it could have been down to you that the NWOLB site was running like treacle quite recently :rotfl:
[sorry, serious face back on now]

I don't log in at the main Natwest site, but through a saved shortcut (not Favorites) straight to NWOLB. Don't know if it has any relevance either way though, better or worse.

Olipro

masonic wrote: »

That wouldn't work, even if Rapport was just performing a rudimentary check on the SSL certificate. An attack like this would require the browser to set up a genuine TLS connection with nwolb.com in the first instance.

ah that's where you're wrong, we're not talking to the real nwolb server in my hypothesis.

Since there is a client side virus it could easily install a new root certificate into the computer's certificate store, then you simply produce an SSL certificate signed with your root cert and serve that up to the infected client, as far as IE or Firefox will know it's a valid SSL certificate.

Alternatively you could skip SSL completely and show the phishing page over standard HTTP, either method will work just fine since the client is talking to your server and not NatWest's.

masonic

Olipro wrote: »

ah that's where you're wrong, we're not talking to the real nwolb server in my hypothesis.

Since there is a client side virus it could easily install a new root certificate into the computer's certificate store, then you simply produce an SSL certificate signed with your root cert and serve that up to the infected client, as far as IE or Firefox will know it's a valid SSL certificate.

Alternatively you could skip SSL completely and show the phishing page over standard HTTP, either method will work just fine since the client is talking to your server and not NatWest's.

No, neither of those things are possible if Rapport is installed and working properly. From the Trusteer website:-

http://www.trusteer.com/support/faq

To protect you against pharming attacks Rapport verifies the IP address and the SSL certificate of the website each time you connect to a protected website. If the verification fails, Rapport terminates the connection and establishes a new connection to the real website.

These checks are so simple to implement and so fundamental to the operation of Rapport, it's very hard to imagine Trusteer screwed them up. The OP got the 'green light' from Rapport, showing whatever webpage had been received was verified as above. It's hard to see how that could have been faked.

Edit: Just to clarify, I am asserting that it is not possible to fake the IP address in a TCP connection and it is not feasible to engineer a fake SSL certificate with a specified hash (I know there is an issue with MD5, but Natwest are using SHA1). One of those two is required to fool Rapport (assuming Trusteer's security people are not totally incompetent ).

vaporate

Which is why I use norton 360. However, I am dead cert on the correct webpage for online banking so I never ever really trust my anti-virus software.

Just added protection at best.

skintdragon

Hi,

thank you for the heads- up... i'm guessing this is also relevant to RBS online bank users as they use this rapport software as well? Cheers anyhow! :T

dzug1

Olipro wrote: »

possible but unlikely, it's much simpler to modify the computer's hosts file to make the DNS address resolve to a different IP, frankly it's pathetic that Trusteer don't have a hard-coded list of IPs that the nwolb.com DNS address should resolve to

It would need more than that - Trusteer/Rapport works with a whole lot of other banks and other organisations - it's not hard wired to natwest

agsnu

Olipro wrote: »

ah that's where you're wrong, we're not talking to the real nwolb server in my hypothesis.

Your hypothesis is wrong.

masonic

agsnu wrote: »

Your hypothesis is wrong.

I just wanted to confirm this one way or the other, so I stuck two entries in my hosts file to redirect both www.natwest.com and www.moneysavingexpert.com to google. I don't normally have Rapport installed and this had the expected effect of redirecting both sites. I then installed Rapport and tried again. This time I was taken straight to the Natwest website when I tried the former, but redirected to google when I tried the latter. What this shows it that Rapport is picking up the invalid IP address and replacing it with the correct one. It isn't doing anything funny with the hosts file and it should treat an IP address obtained from DNS in exactly the same way. In other words, a simple phishing attack would not work when Rapport is running and the user went to the usual natwest.com website.

Edit: for those interested, I got the following report from the Rapport console:-

The following IP addresses were tagged as suspicious. When you access a protected website, Rapport checks the IP address against a list of known good addresses for this website. If the address is not found in the list, Rapport replaces it with a known good address for the website. There is no action you need to take.

• Mar 21 2010 20:18 IP address 216.239.61.104 doesn't match NatWest

I also found the following in the configuration options:-

When you are browsing to a protected website Rapport checks the website’s SSL certificate. If the certificate is outdated, incorrect, or signed by unknown issuer Rapport triggers an alert that requires your action. Rapport’s SSL validation is stronger than the browser’s mechanism and should be used for Partner websites even if your browser warns about invalid certificates. SSL certificate validation prevents access to fraudulent websites.

So, it is not checking the certificate hash, it is just validating the issuer. Again, this is good enough to prevent a simple phishing attack.