Banks are confusing consumers on PC security
Summary: Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.
See the bottom of this article for a clarification.
Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.
I'm not surprised that consumers have a difficult time grasping the idea of computer security. In Australia, banks such as the Commonwealth subsidise antivirus. The good news is that CBA customers can buy CA antivirus for AU$35 instead of AU$65. The bad news is that the bank exaggerates massively, claiming that with antivirus the threat of malware is removed entirely: "By offering you personal security software, we can help to eliminate this threat [of malware]," says the bank's FAQ page.
CBA customers are likely to walk away feeling completely safe with their new antivirus, yet security professionals know this not to be the case. At this year's AusCERT conference, Cisco's chief security officer, John Stewart, echoed what many security observers have said: that antivirus is not enough to eliminate today's threats because malware writers can create new malware faster than AV vendors can write signatures.
So who should consumers believe? The security professional or the organisation they entrust their savings to?
ING Direct USA also recently announced it is giving away 6.5 million licences of Trusteer's Rapport security software to its customers.
According to Trusteer, the software works by monitoring the interface between applications and an operating system for malware, encrypting information sent from the computer and authenticating ING's website.
The application, which can be downloaded from ING's website, creates a so-called "secure pipe" between a PC — not a Mac or Linux system — and the bank's network. ING boldly claims that Rapport protects against Man In The Browser and Man In The Middle attacks, keyloggers, screen grabbers, pharming, and phishing — "even on infected PCs".
Again, if consumers believe the bank, they should walk away feeling entirely safe. However, they are then given another confusing message: whether or not they install the application, ING will refund customers if their PCs have been hacked and money is stolen.
But here's where it gets really confusing for customers: to run the Rapport software users have to install it with Administrator privileges [see clarification below] — a practice which Microsoft's top security people have been preaching customers to avoid to mitigate the threat of malware.
Security consultant Ty Miller from Pure Hacking explained why: "Vista bases much of its security around not running as Administrator to prevent your system becoming compromised in the first place, so if users are required to run programs as Administrator then they may actually be introducing additional risk to the user's operating system."
The customer has obviously placed some level of trust in both organisations, yet each give different advice. So again, who should the customer believe?
In this instance, I'd actually say, place your bets on Microsoft. According to the CIO of ING Direct USA — a bank which promotes itself as ranked by the University of California as "America's safest bank" — it still sends its customers email alerts for their statements that include URL links. It's pretty amazing the "safest bank" still does this, given the prevalence of phishing scams in the US.
Banks often claim that education is the key to making them actually safe. Well, if this is true, banks shouldn't blind customers to the realities of malware protection by exaggerating claims about the level of security they have.
This is to clarify that Rapport can be installed without administrator privileges, however the product may not work as described by Trusteer if users are not operating under Administrator mode.
http://www.trusteer.com/board-directorsMickey Boodaei, Trusteer's CEO contacted ZDNet.com.au to clarify that Trusteer Rapport does not require Administrator privileges to run.
"If you run Rapport as administrator it provides its protection from the OS kernel. If you don't have admin privileges Rapport will run from user-space and will protect you mainly against user-space attacks. The logic is simple: if you run as non-admin you're less exposed to kernel-level malware. However, you're still exposed to user-space malware (most malware today can install itself either way) and this is the gap that Rapport closes for you. Either way, Rapport will significantly improve your online security," he said.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Rapport software install
Admin
Banks need to focus on Customer Security Management
Banks are already looking to implement multiple point product solutions to handle individual aspects of Customer Security Management. Examples are out of band authentication devices (I have 3 from different financial institutions already), quite a few are looking at browser virtualization and transaction encapsulation techniques.
The challange of Customer Security Management (CSM) makes Enterprise IT Security look like a "walk in the park". CSM requires the banks to manage and monitor the security of tens of millions of customer PCs running a myriad of disperate security products, a plethora of operating systems and patch levels, and now a number of other point product security solutions on top. We may as well ask customers to install OPSWAT or McAfee's EPO so that these solutions can be mashed into a working and viable security system.
Banks need to reflect on the broad aspect of the mission and avoid rushing forward with a solution that will require multiple components from too many vendors.
Key technologies certainly include Microsoft's Credentica (U-Prove) technology, may include Trusteer, also in the mix is RSA and a few others.
At Prevx we are trying to take an holistic view of Customer Security Management building on but extending many of the Enterprise IT Security concepts. We believe the single most important element of CSM is intelligence. Banks need to be able to measure and understand the customer landscape. Having the management information is critical.
According to a report published by the US FDIC many banks are unable to explain how individual instances of internet fraud occurred. The conclusion was that the single biggest vector was "malicious software surreptitiously installed on the client PC". Given this is the reality of the situation the likelihood of prior infections by advanced rootkit technology would render many of the PC based solutions impotent, or worse lulling the user and the banks into believing that their connection was secure.
If a PC is under the control of a kernel level rootkit then nothing running on that PC is safe, nor can anything running on it create a safe harbor without detecting and removing the rootkit.
We believe the approach to Customer Security Management needs to encompass a wide array of safe guards:
Checking and if necessary disinfecting the PC
Informing the Web site that a PC is infected or may have been compromised
Verifying that the true web site has been reached
Knowing that this is THE user
Ensuring the transaction is not being monitored
Confirming that a transaction was intended by the user
Understanding what the landscape was on each transaction so that fraud can be retro-actively tied to cause
Automatic monitoring and real time black list blocking of know or suspected phishing sites
and several more
We have already launched Prevx eSAC which is a solid foundation for Customer Security Management with intelligence at its core and a wide array of layered security features covering the above issues, all built into a single light weight client whose first job is to verify if the PC is already infected.
We'd welcome some open dialogue with other vendors in this space. CSM is a big challenge that could well redefine our entire thoughts about consumer PC security.
Anyone else agree?
Mel Morris
CEO
Prevx
Banks confusing Consumers on PC Security
Anti Virus alone is not the answer.
The answer lies in a multiple layer approach from the firewall inward to internal firewall. then local user account security, OS patches, Antivirus and Anti spyware.
Yep thats right it aint simple for inexperineced users. I have been successfully using Internet banking since about 3 months afetr it started and any problems have always been on the banks end not mine.
Makes sense
All software should be able to be RUN with normal user access but even Microsoft has been known to put out a game that couldnt run as a non-admin.
More vendor hype, silver bullet solutions.....
You've obviously mistaken the educated security professionals at this site for people who give a rats your silver bullet solution products.
You've purposely penned a long winded, hyped up advertisement for your company into what was previously an intellectual discussion, generated by Liam and his great blog.
Whats more, Mel Morris, security professionals are sick and tired of hearing your kind of meaningless vendor drivel. Like white noise, It all starts to sound the same after a while.
I suggest you try flogging your pots & pans elsewhere. And when you find such a marketplace for your products, here's a hint: Avoid using meaningless platitudes such as "holistic stance", "key technologies", "multiple point product solutions".
Get the message ?
Security for consumers from the CISO's stance
If it scares customers, then it simply has not been put to them in the best manner.
Mel Morris, Liam etc - all sensible contributors to this discussion - do you frequently use this site or any other particular sites to network?
I'm looking for somewhere where I can find useful discussions such as these to help develop my IT roadmaps.
Abu
Simply Amazed
I am amazed a bank could publish the above statement. I will point out the obvious here and state that antivirus software only takes care of Virus's (virus's, worms) and not malware
"Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software."
Other programs are needed to tackle malware such as antispyware programs.
I know of only one antivirus product that does both its called AVG and is a hugely popular free download on the net.
Please please banks and others stop publishing this misinformation about antivirus doing anything at all to protect against all malware !
Trusteer Rapport
Easy solution
InfoSec
Education.
Defense in depth.
Err ok
Only the free version is free.. don't you ever ask yourself why?
easy to start/stop the service
To Remove Trusteer Rapport
Open Trusteer Rapport Console
Go to page 2 (green button in bottom right corner)
Security Policy - Edit Policy
Type in the code
Scroll down to Protec Rapport from Unathorized Removal and choose Never.
Save
Close Console
Restart Computer
Now you should be able to remove Trusteer Rapport through Control Panel...
Banks are confusing etc.
Easy solution? Use Linux?
Re: