Banks are confusing consumers on PC security

See the bottom of this article for a clarification.

Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.

I'm not surprised that consumers have a difficult time grasping the idea of computer security. In Australia, banks such as the Commonwealth subsidise antivirus. The good news is that CBA customers can buy CA antivirus for AU$35 instead of AU$65. The bad news is that the bank exaggerates massively, claiming that with antivirus the threat of malware is removed entirely: "By offering you personal security software, we can help to eliminate this threat [of malware]," says the bank's FAQ page.

CBA customers are likely to walk away feeling completely safe with their new antivirus, yet security professionals know this not to be the case. At this year's AusCERT conference, Cisco's chief security officer, John Stewart, echoed what many security observers have said: that antivirus is not enough to eliminate today's threats because malware writers can create new malware faster than AV vendors can write signatures.

So who should consumers believe? The security professional or the organisation they entrust their savings to?

ING Direct USA also recently announced it is giving away 6.5 million licences of Trusteer's Rapport security software to its customers.

According to Trusteer, the software works by monitoring the interface between applications and an operating system for malware, encrypting information sent from the computer and authenticating ING's website.

The application, which can be downloaded from ING's website, creates a so-called "secure pipe" between a PC — not a Mac or Linux system — and the bank's network. ING boldly claims that Rapport protects against Man In The Browser and Man In The Middle attacks, keyloggers, screen grabbers, pharming, and phishing — "even on infected PCs".

Again, if consumers believe the bank, they should walk away feeling entirely safe. However, they are then given another confusing message: whether or not they install the application, ING will refund customers if their PCs have been hacked and money is stolen.

But here's where it gets really confusing for customers: to run the Rapport software users have to install it with Administrator privileges [see clarification below] — a practice which Microsoft's top security people have been preaching customers to avoid to mitigate the threat of malware.

Security consultant Ty Miller from Pure Hacking explained why: "Vista bases much of its security around not running as Administrator to prevent your system becoming compromised in the first place, so if users are required to run programs as Administrator then they may actually be introducing additional risk to the user's operating system."

The customer has obviously placed some level of trust in both organisations, yet each give different advice. So again, who should the customer believe?

In this instance, I'd actually say, place your bets on Microsoft. According to the CIO of ING Direct USA — a bank which promotes itself as ranked by the University of California as "America's safest bank" — it still sends its customers email alerts for their statements that include URL links. It's pretty amazing the "safest bank" still does this, given the prevalence of phishing scams in the US.

Banks often claim that education is the key to making them actually safe. Well, if this is true, banks shouldn't blind customers to the realities of malware protection by exaggerating claims about the level of security they have.

This is to clarify that Rapport can be installed without administrator privileges, however the product may not work as described by Trusteer if users are not operating under Administrator mode.

Mickey Boodaei, Trusteer's CEO contacted ZDNet.com.au to clarify that Trusteer Rapport does not require Administrator privileges to run.

"If you run Rapport as administrator it provides its protection from the OS kernel. If you don't have admin privileges Rapport will run from user-space and will protect you mainly against user-space attacks. The logic is simple: if you run as non-admin you're less exposed to kernel-level malware. However, you're still exposed to user-space malware (most malware today can install itself either way) and this is the gap that Rapport closes for you. Either way, Rapport will significantly improve your online security," he said.