Rapport – More problems than its worth! by Erin Dunn
As of the last three years there has been a noticeable trend in the computer troubleshooting and repair industry; and a particular piece of software called Trusteer Rapport has been causing some odd behavioral problems on machines that we repair. Everything from slowness to Windows deactivation to 0xA BSODs all being caused by either the installation or attempted removal of this software. So what is it, where does it come from and should you use it are all questions that we will try to answer here.
What is it?
Trusteer Rapport is security software designed to protect confidential data, such as account credentials, from being stolen by malicious software or via phishing. The software includes anti-phishing measures to protect against misdirection and has the purported capability to prevent malicious screen captures. It attempts to protect users against the following forms of attacks: Man-in-the-browser, Man-in-the-middle, session hijacking and screen capturing.
On installation, Rapport also tries to remove existing financial malware from end-user machines and to prevent future infection. Trusteer Rapport is advertised to be compatible with Microsoft Windows (XP-SP2 and higher) and Mac OS X and can be downloaded free of charge. Financial institutions offer the software free of charge with a view to making online banking safer for customers.
Where does it come from?
Originally headquartered in Tel Aviv Isreal, Trusteer was purchased in October 2013 by IBM for $1 billion and headquarters were relocated to Boston, Massachusetts. Since then IBM has poured a considerable amount of resources into diversifying Trusteer’s product line and now offers several consumer security products, seemingly, all for free.
Various financial institutions are currently distributing the software to their customers via internet banking services in an attempt to lower the amount of fraud currently being perpetrated. Banks promoting the software include Bank of America, Société Générale, INGDirect, HSBC, NatWest, The Royal Bank of Scotland, CIBC, Ulster Bank, First Direct, Santander, Standard Bank of South Africa, Scotiabank, BMO, Banco de Chile, The Co-operative Bank, Guaranty Trust Bank Plc (GTBank), Ecobank. and Davivienda.
Considering the fact that the Trusteer company pulled in only $80 million in revenue in 2012, its hard to understand why a company like IBM, whose interest has traditionally been corporate and government contracts and not the consumer market, would invest so much into a consumer security company with very little to gain. It would be logical to assume, given recent events in computer security around the world, that IBM is worried less about consumer security and more about exploitable and highly profitable assets Trusteer possesses.
Should you use it?
In a word, NO. There exists several NO moments when considering the use of this product. The first of which is how the software protects its users. On installation the software warns the user to shut off any antivirus detection software as it may prevent Rapport from installing correctly. This is a major red flag when installing “supplemental” security software. It means that the software at least behaves like and possibly conducts the same activity as malicious software. On a closer examination it would appear that Rapport alters hundreds of files in the OS in an attempt to circumvent almost all MS Windows APIs (just try checking system file signatures after Rapport’s installation). Something that no security software attempts to do due to operating system stability issues. Stability issues and resource management are the main complaints about this product. A quick Google search makes this painfully clear.
To add security insult to stability injury, the software collects keystrokes and online financial credentials, encrypts them, then stores them on a server somewhere for use in analyzing online financial activities. They do this, they claim, to identify and prevent fraudulent online financial activity that is committed using your information. With the ever increasing amount of data breaches occurring, even in some of the largest and well funded corporations, its hard to justify allowing any company to store such data and utilize it on a considerably wide range of activity, no matter the reason.
Trusteer’s product line is also provided free of charge to consumers through licensing conducted by large financial institutions. Trusteer’s revenue is provided solely by large corporations and special interest groups and not by the consumer, which in turn means that its not the consumers best interests but corporate interests that drive the development of the products.
The software also installs self defense methods in the event another piece of software attempts to remove it. In some cases it has been seen that trying to remove this software using its built-in removal method has resulted in corrupting drivers, rendering network adapters useless, deactivating Windows licensing, blue screen errors and failure to boot. It would be wise to contact either Trusteer support or other technical professionals if one were so inclined to attempt removal.
Finally there is the proprietors themselves. IBM has been at the very least associated with such crimes as violation of import/export laws, numerous claims of monopolistic practices, knowingly exposing employees to toxic chemicals resulting in high employee death rates, and aiding the Nazis in WWII through its subsidiary in Germany at the time, Deutsche Hollerith Maschinen Gesellschaft (German Hollerith Machine Corporation aka Dehomag). Not entirely the best characteristics to have when marketing yourself as protecting the consumer. Trusteer is no stranger to the courtroom either. In late 2010, a company called BlueGem discovered that Trusteer had copied almost line for line BlueGems “Intel Compatibility Code” project into their own, which amounted to copyright infringement. The case was later dismissed as frivolous.
Conclusion?
If your banking website offers you premium protection with this product please save yourself the trouble and decline immediately. If you happen to already have it installed on your machine please contact Trusteer support or your particular IT to remove it.
Expanding on Krebs’ Online Banking Best Practices!
By Ian Woodbury-Kuvik
J.R.,
I’ve been writing a couple of essays based on our discussion Friday. This one is not about Trusteer Rapport, but rather a more proactive approach to how online banking should be conducted. Searching for Rapport eventually led me to “Krebs on Security”, and after having a thorough read of his blog, he sounds pretty f***-ing credible, so I thought I’d summarize some of his observations. I’ve added a couple of my own, but as an aside, he seems to be in favor of Macs w/r/t this class of malware threats (example: Using Windows for a Day Cost Mac User $100,000), but the approach advocated below could be used by more paranoid Mac users. The beauty of it is the sheer simplicity of it, but you must never waver from it if you are serious about security…
Expanding on Krebs’ Online Banking Best Practices…
Original article: http://krebsonsecurity.com/online-banking-best-practices-for-businesses/
Quick bullet points:
• Never do online banking with Microsoft Windows—ever (Mac users take note: don’t act so smug, you’re still at risk, but probably less so by an order of magnitude or more based on known threat vectors).
• Prefer a bank with two-factor authentication (they give you a physical token and require it for all online access). Avoid fuzzy double-talk about multi-factor/multi-step authentication unless there is some real piece of hardware that you hold in your hand that proves you have possession of said object—a true second factor.
• PC with DVD/CD drive (no hard drive needed).
• A Linux LiveCD distro with a browser that you enjoy using.
• Hard-wired Ethernet connection for Internet access (secure Wi-Fi setup on Linux is too error-prone for the unwashed masses; OTOH, DHCP is pretty idiot-proof over a cable).
• Ideally machine would be kept in a physically secure location to prevent hardware tampering. Consider this mandatory when the size of financial transactions exceed 5 figures.
• Even with a LiveCD solution you consider trustworthy, be suspicious of using it on hardware that you do not own or control, and weigh the risks before use. Always check your assumptions.
• If any of this seems like too much work to avoid the risks, please turn off your computer, drive to the bank in your car, and conduct your business face-to-face.
Why all the trouble of a read-only operating system environment? The laws of physics demonstrate that a read-only disc cannot be subverted and permanently altered by malware threats (otherwise the medium is not “read-only” by definition). Every time a new banking session is to be performed, the computer is rebooted, memory is wiped, and the operating system is loaded from a known static state. It’s like having a brand-new PC every time you go online. Contrast with running from your hard drive: malware is a cumulative and constantly-evolving threat that thrives in your machine hidden amongst your data. Without hard drives that can “revert to factory state” every time the machine is rebooted (something that is not desirable by consumers, for reasons that I believe are practical and obvious), there is no trivially provable way to show that the only thing that is on the hard drive is exactly what the end-user intended to be there—and nothing else. A read-only medium is the only provable, inexpensive way to achieve that goal—bearing a temporary inconvenience to perform important and valuable online transactions—while minimizing the risk of outright theft and fraud by means of covert malware threats. Also, something so dead-simple to protect becomes much more costly to attack, so in the natural order of things, thieves will avoid you and move on to other “soft targets”.
Remember: This is about your money, not some gross inconvenience to your computing lifestyle— that is, until the lawyers come knocking at your door telling you how to run your online affairs. Take responsibility for how YOU secure your business/money, and then tell your bank where they can stick their anti-fraud software. You Are Not An Idiot (but please be kind and gentle to those who are and show them the way).
———
Let me know what you think. I’m still digging into Rapport, but this material is more common-sense and actionable IMHO for those who face larger risks without regulatory protections (i.e. small- to medium-sized businesses engaged in commercial banking online). FYI, consumers are protected by Regulation E, but businesses avenues of recourse is limited to the UCC, and proving fraud and negligence on the part of the financial institution is much more difficult, and usually the financial stakes are higher.