Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

Ologhai Jones

Trusteer Rapport In Plain English

Recommended Posts

Please would someone explain to me the virtues of Trusteer Rapport in plain English, and why (assuming that it's the case) I ought to be installing it?

A bank's website keeps suggesting that I use it, but so far I've been unable to establish in simple language what it will do for me and whether it's worth it.

As you can probably tell, I generally resist downloading and installing yet another piece of software unless I know that I want it.

Thanks in advance for the pearls of wisdom! :)

Share this post


Link to post
Share on other sites

Don't feel offended, Mr Serf, but you appear to have a tiny font! :blink:

Share this post


Link to post
Share on other sites

Santander push it hard. I installed it a few years ago but didn't find it completely compatible with Chrome browser. Sometimes it would work, other times not, depending on the current version of Chrome, which updates frequently.

I installed it again last month on my new laptop with Windows 8.1 and it completely messed things up. Uninstalling it didn't help and I ended up using the 'Macrium Reflect' disc image, that I had fortunately made the day before, to completely get rid of it. I shan't be installing it again.

Share this post


Link to post
Share on other sites

It's about shifting the blame for any potential IT screwup in the future.

When internet banking first started a few of the banks introduced terms and conditions that basically said "if any money goes missing from an online account, thats the customers problem not ours" eventually there was a test case in court and they had to withdraw those terms as they were deemed unreasonable.

By introducing a third party it enables the bank to say "wasnt our fault, you'll have to sue Trusteer", so now you have a far more complex case - what are the contracts between you and the bank, you and Trusteer and Trusteer and the bank? Also Trusteer are not a bank so none of the banking regulation will apply to them.

I would steer well clear, but the key part is not installing and using the software (which I suspect does nothing useful) but agreeing to the legal contract between you and trusteer.

Share this post


Link to post
Share on other sites

It's about shifting the blame for any potential IT screwup in the future.

When internet banking first started a few of the banks introduced terms and conditions that basically said "if any money goes missing from an online account, thats the customers problem not ours" eventually there was a test case in court and they had to withdraw those terms as they were deemed unreasonable.

By introducing a third party it enables the bank to say "wasnt our fault, you'll have to sue Trusteer", so now you have a far more complex case - what are the contracts between you and the bank, you and Trusteer and Trusteer and the bank? Also Trusteer are not a bank so none of the banking regulation will apply to them.

I would steer well clear, but the key part is not installing and using the software (which I suspect does nothing useful) but agreeing to the legal contract between you and trusteer.

I use Kaspersky Internet Security, that Barclays provide for free.

Share this post


Link to post
Share on other sites

An upgrade in sept 2013 stopped me from connecting to the internet. I had to use system restore before I could connect to the internet, then as soon as I connected it updated again. A massive pain in the ar$e.

Their customer service wanted me to uninstall and re install, which I did but still had the issue, so I removed it from the computer completly, problem solved.

Share this post


Link to post
Share on other sites

Thank you for the replies. I still don't feel as if I know what the software is supposed to do, but my view that I should give it a miss is somewhat reinforced.

The bank's website has popped up an 'install Rapport' box over the login page for at least months and possibly verging on years, but I've been doggedly ignoring it. It looks like I'll be continuing to do so.

Share this post


Link to post
Share on other sites

Thank you for the replies. I still don't feel as if I know what the software is supposed to do, but my view that I should give it a miss is somewhat reinforced.

The bank's website has popped up an 'install Rapport' box over the login page for at least months and possibly verging on years, but I've been doggedly ignoring it. It looks like I'll be continuing to do so.

If you've got reliable disk imaging software that you trust, why not image your HDD to an external USB drive and give it a try for a day or two then restore the image if you don't think it's of any use to you.

Share this post


Link to post
Share on other sites

If you've got reliable disk imaging software that you trust, why not image your HDD to an external USB drive and give it a try for a day or two then restore the image if you don't think it's of any use to you.

Even if I did have reliable disk imaging software handy (which I don't), that seems like a lot of trouble to go to in order to try out some other software that, as per the OP, I can't work out what it's going to do for me! ;)

Even consulting the product's website about it doesn't help much--at least, it doesn't help me.

Share this post


Link to post
Share on other sites

Thank you for the replies. I still don't feel as if I know what the software is supposed to do,

Having been involved in an early implementation of it...

The problem it is attempting to solve is that when it comes to Internet Banking fraud, the risk and losses are almost (but not completely) at the customer end of things due to viruses trojans and malware.

What Rapport attempts to do is shield the transfer of information all the way from keyboard and mouse through to the encrypted browser session so that any malware present cannot see that the session is taking place and is unable to hijack any information, thus preventing fraud and theft.

It isn't perfect, I've seen examples where keyloggers can still pick up keystrokes - but it does on aggregate work to reduce theft.

Share this post


Link to post
Share on other sites

Having been involved in an early implementation of it...

The problem it is attempting to solve is that when it comes to Internet Banking fraud, the risk and losses are almost (but not completely) at the customer end of things due to viruses trojans and malware.

What Rapport attempts to do is shield the transfer of information all the way from keyboard and mouse through to the encrypted browser session so that any malware present cannot see that the session is taking place and is unable to hijack any information, thus preventing fraud and theft.

It isn't perfect, I've seen examples where keyloggers can still pick up keystrokes - but it does on aggregate work to reduce theft.

Incorrect. The failure is at the bank and regulator end. If the banks wanted to, they could put restrictions on accounts based on customer profiling and customer direction that would lock down 99% of internet /other frauds. trouble is, that costs money so instead they shake their heads.....

anti-fraud example A - one bank I know has 100% ATM overseas blocks. Customers MUST ask for unblocking before any cards (credit/ATM) can be used overseas, and the usage period is limited as are the countries. It's expensive, but well done to that bank.

anti-fraud example B - one bank I know texts every transaction over 100USD to the customers mobile, whether internet instruction, shop purchase, or ATM. Customers therefore know instantly if something is wrong. Again, expensive, but well done.

Trust me on this - many banks managements just do not want to spend the money. stuff like rapport is a cheap solution and (as other have hinted) blame shifters.

Share this post


Link to post
Share on other sites

Incorrect. The failure is at the bank and regulator end. If the banks wanted to, they could put restrictions on accounts based on customer profiling and customer direction that would lock down 99% of internet /other frauds. trouble is, that costs money so instead they shake their heads.....

anti-fraud example A - one bank I know has 100% ATM overseas blocks. Customers MUST ask for unblocking before any cards (credit/ATM) can be used overseas, and the usage period is limited as are the countries. It's expensive, but well done to that bank.

anti-fraud example B - one bank I know texts every transaction over 100USD to the customers mobile, whether internet instruction, shop purchase, or ATM. Customers therefore know instantly if something is wrong. Again, expensive, but well done.

Trust me on this - many banks managements just do not want to spend the money. stuff like rapport is a cheap solution and (as other have hinted) blame shifters.

If my bank blocked my cards for overseas use and, when activated, limited the usage period, I would change my bank. Also, if my bank spammed my mobile with texts to confirm all transactions I would change my bank.

I spend a lot of time abroad and the last thing I want is having to provide an itinerary for the bank and I don't want nuisance texts coming in when I'm bombing along on a French motorway.

Share this post


Link to post
Share on other sites

If my bank blocked my cards for overseas use and, when activated, limited the usage period, I would change my bank. Also, if my bank spammed my mobile with texts to confirm all transactions I would change my bank.

Ditto. Banks have built incredibly insecure systems and, rather than spend money to fix them, now want to inconvenience or blame their customers.

Share this post


Link to post
Share on other sites

My German banks sends me a list of 50x codes in the mail. Every time I want to do something online I have to enter a specific code. A given code only works once.

Wonderfully simple system that defeats keyloggers, trojans, etc.

Oh, and my OS doesn't give root access to every s****y bit of software on the system.

Share this post


Link to post
Share on other sites

Incorrect. The failure is at the bank and regulator end. If the banks wanted to, they could put restrictions on accounts based on customer profiling and customer direction that would lock down 99% of internet /other frauds. trouble is, that costs money so instead they shake their heads.....

anti-fraud example A - one bank I know has 100% ATM overseas blocks. Customers MUST ask for unblocking before any cards (credit/ATM) can be used overseas, and the usage period is limited as are the countries. It's expensive, but well done to that bank.

anti-fraud example B - one bank I know texts every transaction over 100USD to the customers mobile, whether internet instruction, shop purchase, or ATM. Customers therefore know instantly if something is wrong. Again, expensive, but well done.

Trust me on this - many banks managements just do not want to spend the money. stuff like rapport is a cheap solution and (as other have hinted) blame shifters.

Not incorrect. Your views on how best to deal with internet banking security do not have the power to change the functionality of a piece of software or the reasons for its implementation the best part of a decade ago.

To achieve a reasonably secure and fraud free service requires a range of policies, staff training, software, hardware, transaction auditing and verification balanced against exposure, costs, customer acceptance and convenience and practicality. Rapport is one part of the jigsaw that may or may not be part of a useful security solution for any given bank. It was only a tiny part of the solution in the situation I was talking about.

All bank management teams do not want to spend the money. It's their job to not spend money without a suitable return on the investment.

Share this post


Link to post
Share on other sites

For the OP, here is a rough explanation of what it attempts to do.

The problem banks face is that they cannot trust the machine the user is using, and neither can that user. Why is this? It is because the machine may be compromised - a 3rd party may have managed to install an application that logs key strokes and captures passwords. The simple analogy would be someone looking over your shoulder while you are typing. They can see you have gone to a bank site, they can see your user name, and they can watch you typing the keys for the password, even if it comes up as little black circles on the screen. If a human standing behind you can do it, so can a piece of software, or hardware.

So why is it different to AV software? This is because it is generically trying to prevent this attack. AV software is looking for patterns of code and literally scanning lines of executable for stuff it knows is dodgy. This is approaching the problem from a different angle: the assumption that the machine will be compromised (by as yet undefined things) and seeking to protect it.

As you would expect, doing this is very hard and invasive - you need to intercept the keystrokes very early in the process (basically in the keyboard driver) and then deliver them securely to the target application. Unsurprisingly, it often goes wrong and chews a lot of resources.

At the heat of it, it is the wrong answer. Those banks using one time passwords (e.g. Barclays PIN sentry ) have got it right - you can look over my shoulder all you want, but the password I used in my last session will not help you.

Share this post


Link to post
Share on other sites

For the OP, here is a rough explanation of what it attempts to do.

The problem banks face is that they cannot trust the machine the user is using, and neither can that user. Why is this? It is because the machine may be compromised - a 3rd party may have managed to install an application that logs key strokes and captures passwords. The simple analogy would be someone looking over your shoulder while you are typing. They can see you have gone to a bank site, they can see your user name, and they can watch you typing the keys for the password, even if it comes up as little black circles on the screen. If a human standing behind you can do it, so can a piece of software, or hardware.

So why is it different to AV software? This is because it is generically trying to prevent this attack. AV software is looking for patterns of code and literally scanning lines of executable for stuff it knows is dodgy. This is approaching the problem from a different angle: the assumption that the machine will be compromised (by as yet undefined things) and seeking to protect it.

As you would expect, doing this is very hard and invasive - you need to intercept the keystrokes very early in the process (basically in the keyboard driver) and then deliver them securely to the target application. Unsurprisingly, it often goes wrong and chews a lot of resources.

At the heat of it, it is the wrong answer. Those banks using one time passwords (e.g. Barclays PIN sentry ) have got it right - you can look over my shoulder all you want, but the password I used in my last session will not help you.

Doesn't Kaspersky's virtual keyboard achieve the same result?

Share this post


Link to post
Share on other sites

Doesn't Kaspersky's virtual keyboard achieve the same result?

Broadly, yes.

Key-press obfuscation techniques are used in a number of Internet security packages.

Some do it by replacing the keyboard or USB driver and when needed, scrambling the key codes, which can then be decoded by the authorised browser window.

Some use an on-screen mouse-clickable "keyboard" which communicates directly with the authorised window, bypassing the normal OS systems which could be compromised.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   215 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.