Banks are confusing consumers on PC security

Banks are confusing consumers on PC security

Summary: Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.


See the bottom of this article for a clarification.

Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.

I'm not surprised that consumers have a difficult time grasping the idea of computer security. In Australia, banks such as the Commonwealth subsidise antivirus. The good news is that CBA customers can buy CA antivirus for AU$35 instead of AU$65. The bad news is that the bank exaggerates massively, claiming that with antivirus the threat of malware is removed entirely: "By offering you personal security software, we can help to eliminate this threat [of malware]," says the bank's FAQ page.

CBA customers are likely to walk away feeling completely safe with their new antivirus, yet security professionals know this not to be the case. At this year's AusCERT conference, Cisco's chief security officer, John Stewart, echoed what many security observers have said: that antivirus is not enough to eliminate today's threats because malware writers can create new malware faster than AV vendors can write signatures.

So who should consumers believe? The security professional or the organisation they entrust their savings to?

ING Direct USA also recently announced it is giving away 6.5 million licences of Trusteer's Rapport security software to its customers.

According to Trusteer, the software works by monitoring the interface between applications and an operating system for malware, encrypting information sent from the computer and authenticating ING's website.

The application, which can be downloaded from ING's website, creates a so-called "secure pipe" between a PC — not a Mac or Linux system — and the bank's network. ING boldly claims that Rapport protects against Man In The Browser and Man In The Middle attacks, keyloggers, screen grabbers, pharming, and phishing — "even on infected PCs".

Again, if consumers believe the bank, they should walk away feeling entirely safe. However, they are then given another confusing message: whether or not they install the application, ING will refund customers if their PCs have been hacked and money is stolen.

But here's where it gets really confusing for customers: to run the Rapport software users have to install it with Administrator privileges [see clarification below] — a practice which Microsoft's top security people have been preaching customers to avoid to mitigate the threat of malware.

Security consultant Ty Miller from Pure Hacking explained why: "Vista bases much of its security around not running as Administrator to prevent your system becoming compromised in the first place, so if users are required to run programs as Administrator then they may actually be introducing additional risk to the user's operating system."

The customer has obviously placed some level of trust in both organisations, yet each give different advice. So again, who should the customer believe?

In this instance, I'd actually say, place your bets on Microsoft. According to the CIO of ING Direct USA — a bank which promotes itself as ranked by the University of California as "America's safest bank" — it still sends its customers email alerts for their statements that include URL links. It's pretty amazing the "safest bank" still does this, given the prevalence of phishing scams in the US.

Banks often claim that education is the key to making them actually safe. Well, if this is true, banks shouldn't blind customers to the realities of malware protection by exaggerating claims about the level of security they have.

This is to clarify that Rapport can be installed without administrator privileges, however the product may not work as described by Trusteer if users are not operating under Administrator mode.

Mickey Boodaei, Trusteer's CEO contacted to clarify that Trusteer Rapport does not require Administrator privileges to run.

"If you run Rapport as administrator it provides its protection from the OS kernel. If you don't have admin privileges Rapport will run from user-space and will protect you mainly against user-space attacks. The logic is simple: if you run as non-admin you're less exposed to kernel-level malware. However, you're still exposed to user-space malware (most malware today can install itself either way) and this is the gap that Rapport closes for you. Either way, Rapport will significantly improve your online security," he said.

Topics: Security, Banking, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Rapport software install

    The article says it has to be installed as an administrator - then leaps to say people shouldn't run as an administrator. I can't see the link - just because it requires admin privileges to install doesn't mean it needs them to run!
  • Admin

    Trusteer Rapport doesn't require admin rights
  • Banks need to focus on Customer Security Management

    Banks must take an holistic stance on Customer Security Managament if they are to succeed in stemming the rising tide of internet and banking fraud. This also applies to large scale eCommerce/Web 2.0 businesses too.

    Banks are already looking to implement multiple point product solutions to handle individual aspects of Customer Security Management. Examples are out of band authentication devices (I have 3 from different financial institutions already), quite a few are looking at browser virtualization and transaction encapsulation techniques.

    The challange of Customer Security Management (CSM) makes Enterprise IT Security look like a "walk in the park". CSM requires the banks to manage and monitor the security of tens of millions of customer PCs running a myriad of disperate security products, a plethora of operating systems and patch levels, and now a number of other point product security solutions on top. We may as well ask customers to install OPSWAT or McAfee's EPO so that these solutions can be mashed into a working and viable security system.

    Banks need to reflect on the broad aspect of the mission and avoid rushing forward with a solution that will require multiple components from too many vendors.

    Key technologies certainly include Microsoft's Credentica (U-Prove) technology, may include Trusteer, also in the mix is RSA and a few others.

    At Prevx we are trying to take an holistic view of Customer Security Management building on but extending many of the Enterprise IT Security concepts. We believe the single most important element of CSM is intelligence. Banks need to be able to measure and understand the customer landscape. Having the management information is critical.

    According to a report published by the US FDIC many banks are unable to explain how individual instances of internet fraud occurred. The conclusion was that the single biggest vector was "malicious software surreptitiously installed on the client PC". Given this is the reality of the situation the likelihood of prior infections by advanced rootkit technology would render many of the PC based solutions impotent, or worse lulling the user and the banks into believing that their connection was secure.

    If a PC is under the control of a kernel level rootkit then nothing running on that PC is safe, nor can anything running on it create a safe harbor without detecting and removing the rootkit.

    We believe the approach to Customer Security Management needs to encompass a wide array of safe guards:

    Checking and if necessary disinfecting the PC

    Informing the Web site that a PC is infected or may have been compromised

    Verifying that the true web site has been reached

    Knowing that this is THE user

    Ensuring the transaction is not being monitored

    Confirming that a transaction was intended by the user

    Understanding what the landscape was on each transaction so that fraud can be retro-actively tied to cause

    Automatic monitoring and real time black list blocking of know or suspected phishing sites

    and several more

    We have already launched Prevx eSAC which is a solid foundation for Customer Security Management with intelligence at its core and a wide array of layered security features covering the above issues, all built into a single light weight client whose first job is to verify if the PC is already infected.

    We'd welcome some open dialogue with other vendors in this space. CSM is a big challenge that could well redefine our entire thoughts about consumer PC security.

    Anyone else agree?

    Mel Morris
  • Banks confusing Consumers on PC Security

    OMG, like why listen to a bank about online security. Theyt need to stick to what they do best, banking!

    Anti Virus alone is not the answer.

    The answer lies in a multiple layer approach from the firewall inward to internal firewall. then local user account security, OS patches, Antivirus and Anti spyware.

    Yep thats right it aint simple for inexperineced users. I have been successfully using Internet banking since about 3 months afetr it started and any problems have always been on the banks end not mine.
  • Makes sense

    It makes sense that you would need to have admin rights to INSTALL AV software. Unfortunately some AV vendors and many other software makers have not cottoned on to the idea that PCs can actually be used by more than one person - some with limited access.

    All software should be able to be RUN with normal user access but even Microsoft has been known to put out a game that couldnt run as a non-admin.
  • More vendor hype, silver bullet solutions.....

    @Mel Morris, CEO, Prevx

    You've obviously mistaken the educated security professionals at this site for people who give a rats your silver bullet solution products.

    You've purposely penned a long winded, hyped up advertisement for your company into what was previously an intellectual discussion, generated by Liam and his great blog.

    Whats more, Mel Morris, security professionals are sick and tired of hearing your kind of meaningless vendor drivel. Like white noise, It all starts to sound the same after a while.

    I suggest you try flogging your pots & pans elsewhere. And when you find such a marketplace for your products, here's a hint: Avoid using meaningless platitudes such as "holistic stance", "key technologies", "multiple point product solutions".

    Get the message ?
  • Security for consumers from the CISO's stance

    This is not an initiative that we have considered previously, but for all of the negative comments raised herein, I can still see VALUE in the idea of providing your customers with their own security facilities. Much of what consumers will hear regarding data security in the financial world will obviously pertain to the types of issues you and I deal with daily on an internal level - but the notion that consumers can 'do their bit' for overall IT security is definitely a sensible one.
    If it scares customers, then it simply has not been put to them in the best manner.

    Mel Morris, Liam etc - all sensible contributors to this discussion - do you frequently use this site or any other particular sites to network?
    I'm looking for somewhere where I can find useful discussions such as these to help develop my IT roadmaps.

  • Simply Amazed

    "with antivirus the threat of malware is removed entirely: "

    I am amazed a bank could publish the above statement. I will point out the obvious here and state that antivirus software only takes care of Virus's (virus's, worms) and not malware

    "Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software."

    Other programs are needed to tackle malware such as antispyware programs.

    I know of only one antivirus product that does both its called AVG and is a hugely popular free download on the net.

    Please please banks and others stop publishing this misinformation about antivirus doing anything at all to protect against all malware !
  • Trusteer Rapport

    I have been encouraged by my bank, Royal Bank of Scotland, to download this as an added layer of security for online banking transactions, allegedly compatible with security software already installed. Unfortunately, Rapport has now taken over my PC and is slowing down every other piece of software on the machine. I am unable to terminate the RapportService.exe on Windows Task Manager and the program is not visible on Control Panel Add/Remove software. Royal Bank of Scotland Online Banking Support have now refused to accept responsibility for dealing with the problem and wish me to contact Trusteer direct: in other words, complete abrogation of responsibility for inflicting this pestilence on me in the first place. Advice to RBS customers: do not touch this with a bargepole.
  • Easy solution

    Use Linux. No matter what you wanna say about no system being 100 per cent secure, how many people who use Linux have been victims of online fraud? Answers on a postcard
  • InfoSec

    There are only two things that will stand you in good stead.

    Defense in depth.
  • Err ok

    AVG.. ahem.. ok..

    Only the free version is free.. don't you ever ask yourself why?
  • easy to start/stop the service

    You can go to your services and start/stop Rapport Management Service from there. You should also have no problem uninstalling Rapport. I've done both of the above without problem on Windows XP and Vista.
  • To Remove Trusteer Rapport

    To enable removing:
    Open Trusteer Rapport Console
    Go to page 2 (green button in bottom right corner)
    Security Policy - Edit Policy
    Type in the code
    Scroll down to Protec Rapport from Unathorized Removal and choose Never.
    Close Console
    Restart Computer

    Now you should be able to remove Trusteer Rapport through Control Panel...
  • Banks are confusing etc.

    Trusteer Rapport is a useful tool, Banks that have deployed it to users do not force its use on you, but as they indemnify against losses should you employ it. Then they are putting thir money where therir mouths are. So I support the Banks on this. I NEVER expect Microsoft to give me money under any pretext. Neither does Microsoft accept liability for your losses over a host of its applications. There would not be Antivirus and anti malware as independent providers if it werew something Microsoft did best.
  • Easy solution? Use Linux?

    The fact is that if Windows and Linux were on an equal level of computers/users etc. Then they would share roughly the same amount of disruption due to stupid clots tampering with their respective Operating Systems. As it is there are insufficient users of Linux, a benefit of which is lack of interest from hackers who like grafitti artists want as large an audience as possible. Unix which is closely allied to Linux was very reliable but when it crashed (Not due to hackers) it could take 3 days to restore.
  • Re:

    Great point!
  • My problem with Rapport is that its a big CPU HOG with a big H . I have it running right now and not online to any bank and my windows XP Pro Task Manager tells me that Rapport Truster is using 34760K under RapportService.exe and under RapportMgmtser.exe it using 34696 K just idling .This is close to 70,000K not doing any thing . Have read the comments from other users and it says That truster has a anti Phishing ability in the browers etc . I use Bitdefender as a anti virus which has this in it . And use Online Armor for a firewall that tells me where everything is going and gives me an IP address log and also asks me if I want to let anything access the internet both directions and gives me a name plus the IP address . This is some what like the old Sygate Pro firewall which was great . Have a problem with the CPU running at 100 per cent and going to have to dump Rapport for being a CPU HOG .IE8 is also a CPU Hog have it always running when not in use and when open its has 3 listings in the Task Manager . Have gone in to Services and delayed some items on start up but have at least 9 svchost.exe's running all the time which are also CPU hogs . Have shut down auto updates and only use it when no one is on the PC and let it run . Have gone to task manager and shut down wuaaudt.exe and ctfmon.exe while using PC to reduce CPU load but its only a temp fix until the PC is shut down and restarted .They return automatically . Have used three registry cleaners both free and purchased and they seem to miss bits and parts of old programs left in the Registry when programs have been uninstalled . Even have found old names of past firewall's and anti virus programs and removed them manually in the Registry by using regedit in Run. Truster Rapport is a CPU HOG with a big H and other anti virus and firewall programs do the same thing as Rapport and use less CPU K's