Friday, 12 February 2010

Trusteer's Response to Issues with Rapport

I have been getting a lot of hits on this blog relating to Trusteer's Rapport, so I thought I would take a better look at the product. During my investigations, I was able to log keystrokes on a Windows 7 machine whilst accessing NatWest. However, the cause is as yet unknown as Rapport should be secure against this keylogger, so I'm not going to share the details here yet (there will be a video once Trusteer are happy there is no further threat).

I have had quite a dialogue with Trusteer over this potential problem and can report that their guys are pretty switched on, they picked up on this very quickly and are taking it extremely seriously. They are also realistic about all security products and have many layers of security in place within their own product. No security product is 100% secure - it can't be. The best measure of a product, in my opinion, is the company's response to potential problems. I have to admit that Trusteer have been exemplary here.

Why do I keep saying it's a potential problem when I have logged keystrokes? Well, under normal operating conditions this isn't possible with the keylogger used. Most home users won't have a machine set up like the test machine in this case.

Trusteer have also pointed out that keyloggers are not the main threat facing the banks at the moment and are of less use now than in the past. Rapport has several layers of security protecting the machine beyond keyloggers and blocking screen capture. One of he major plus points about Rapport is their anti-phishing and anti-pharming technologies. Although, again, these aren't perfect, it's better than nothing.

I don't agree totally with Trusteer here though. The problem with being able to log typed characters comes back to weak passwords and single-factor authentication. In this case, NatWest seem to require a customer ID, consisting of the user's date of birth and a 4 digit ID in the format ddmmyyxxxx, a 4 digit PIN and only a short password. Now, they will let any Customer ID through in this format whether it's valid or not (good from a security point of view as you don't know if you've got a valid Customer ID or not). However, clearly they allow 6 character passwords and then ask for three of them. So with one capture I can have 3 out of 4 PIN digits and half the password. We know people choose weak passwords that can be guessed. This becomes a crossword puzzle to make a 6 character password given three known characters. I would agree with Trusteer that keyloggers and screen capture shouldn't be a problem now, but it still is, as the banks cling onto simple username and password authentication, often with poor password policies.

If the banks move to 2-factor authentication and one-time passwords then most of this would be redundant, and Trusteer could concentrate on pushing us off to the correct site to avoid phishing and pharming attacks. Of course, these will become even more prevelant and sophisticated. Technology can't stop this alone, it has to be coupled with user education. Screen capture can still cause problems with strong authentication solutions, such as those using images or on-screen grids to generate one-time passwords.

So, what's the bottom line? Since my earlier posts, Rapport has come a long way with compatibility, etc. The tone of the marketing has also changed for the better and is more realistic (although some of the 44 partner banks could be doing more). So Rapport could be an additional layer of security to protect you, but you will still have to be vigilant. You must have an up-to-date, legitimate anti-virus/anti-malware product, firewall protection, tight controls on your browser and a cautious and skeptical approach to all communiations and links. Without these, Rapport isn't going to help you anyway.

Edit: video in later post - Keylogging Trusteer's Rapport


ChriS said...

Hi Luke,
One thing I dont understand is, why dont the browser do the job itself, rather than need to install this plug-in?

Luke Hebbes said...

In some ways the browsers do help, if the organisation has used an EV SSL Certificate (Extended Validation), as the browser bar will go green and you can check that it is the expected site. However, how many people actually check the certificate of the site they're visiting? The most they'll do is check for a padlock, but this could be any site, that just says that the link is encrypted.

What Rapport tries to do is check this for you and change to the real site if this isn't the right one. What it also tries to do is protect you from Trojans (which your anti-malware and sensible browsing habits should have stopped from infecting your machine in the first place) and injection attacks. Unless a browser is familiar with the site you’re navigating to, it can’t really stop injection attacks, as it doesn’t know what should have been there in the first place. One ‘simple’ way round this would be to add a digital signature to each web page and have the browser automatically check it – not infallible, but extremely hard to circumvent if properly implemented.

Anonymous said...

I downloaded Trusteer Raport on the advice from my Bank, only to have it crash Safari. Safari just would not operate. Used Time Machine to clear the system of Rapport, and all was OK. Spoke to Trusteer about the problem, and was told that they are working on it for Mac.
The situation now is that I again downloaded Rapport, happy to report no further problems with Safari, but Rapport only works when the computer is on, and has to be downloaded every time that I want to access the Bank site. Just a bit tedious!

Anonymous said...

I have also had problems with my Windows 7 computer becoming very sluggish after installing Rapport, I have uninstalled it and now have no probems.
The other problem with this approach is it is confusing for users, we shouldnt have to be researching downloading installing/uninstalling extra bits of "securit" software, that may themselves offer additional security holes for all we know.
If the banks think that there is a software fix to a current security issue I believe they should work with current security software companies to provide this, so users do not have to decide whether to install another (possibly incompatible) piece of security software.
Personally I think a much better solution is dynamic (one-use)passcodes created by the users bankcard. Eg Visa Codesure:

This would be pretty invulnerable to malware. the only question i have is if someone gets hold of your card they might be able to see which numbers on the keypad are the most worn, and be able to guess the PIN. which they could then use in a cash machine for example.

Luke Hebbes said...

I can’t really comment on the performance of your machine other than to say every extra bit of security on your system will have an impact on performance (although each one shouldn’t be significant on its own). With regards to security holes of Trusteer’s Rapport – no software can be 100% secure. However, I am reasonably convinced that Rapport doesn’t introduce any additional security holes and I have tested it.

Current security software companies (I assume you mean AV providers) don’t focus on the specific threats that banks face and don’t necessarily react quickly enough. Also, these AV products are not as secure as you might think. Actually, they probably let through more malware than Rapport in certain circumstances. Have a look at my post on ‘How secure is your AV Product?’ Signature-based products will always be susceptible to engineering malware to evade detection – I can try it against all the major vendors before I release it and recompile until they don’t detect it. Rapport works in a different way, by blocking access to drivers, etc., rather than trying to detect the malware. I have spoken to Trusteer’s CEO and they are very committed to shutting down the malware authors and botnets. Unfortunately, the criminals have deeper pockets than the security companies.

Finally, neither the SmartCards banks use nor their One-Time Passcodes are totally secure. Cards can be cloned, despite what the banks say. Also, a one-time passcode is still susceptible to a Man-In-The-Middle attack, so I can inject any traffic and additional transactions I want into your session for a start. They also don’t stop me from publishing a phishing or pharming site. I can just accept any response ‘one-time passcode’ from you without having to understand it. Also, the passcodes that the banks use are predictable and any keypad can be used with your card, not just the one they sent you. These codes also don’t stop me from being able to capture screenshots of your bank details and transactions or keystrokes. In fact, if I recorded your online banking session I could probably get enough information to impersonate you to your bank.

One final note about the PIN on your card, you don’t need it to make transactions on that account (I also don’t need your PIN if I clone your card).

Brown Jason said...

Good Screen monitoring software will help you to log and trace all your computer's activities and IP address even though you are away from your computer.

Post a Comment

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust