A number of readers recently have written in to say their banks have urged customers to install a security program called Rapport as a way to protect their online bank accounts from fraud. The readers who pinged me all said they didn’t know much about this product, and did I recommend installing it? Since it has been almost two years since I last reviewed the software, I thought it might be useful to touch base with its creators to see how this program has kept pace with the latest threats.
The basics elements of Rapport – designed by a company called Trusteer — haven’t changed much. As I wrote in May 2008, the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.
From that 2008 piece:
“Some of today’s nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or ‘hook’ the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware – known as a ‘form grabber’ – hijacks the ‘WinInet‘ API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.
Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.”
I spoke last week with Trusteer CEO Mickey Boodaei about his company’s software, how it has changed over the years, and what’s new about it.
BK: A lot of customers are being asked to download the software and don’t know much about Trusteer or Rapport. One customer wrote in banked at BBVA, and another was with Fifth Third. Both banks very recently had multiple customers lose hundreds of thousands of dollars to the sort of online banking fraud I’ve been writing about lately.
MB: Well, the more press coverage we get, the more it will help build familiarity with our brand among consumers.
BK: Since we last talked, you were working with just a handful of banks — such as ING. Can you talk about how the business has grown and who you’re partnering with now?
MB: Over the last year in the U.S., we’ve been seeing a significant change in the amount of interest we’re getting from banks, especially around business banking. It looks like banks are getting really worried about it, as many have seen fairly significant fraud losses. Right now in North America we have around 50 banks using our technology, and few others in the United Kingdom.
Read on after the jump for my thoughts on this software, and a discussion of some of the malware that specifically targets Rapport.
BK: So in a nutshell, what does your company do for the banks you work with?
MB: Each bank we sign, we’re analyzing older fraud incidents and finding which malware variants are attacking them and their customers. We then make sure we have multi-layers of protection on the server side that can address these threats.
BK: Are you working with any banks that are making your software mandatory as a prerequisite for online banking?
MB: We do have a couple of banks that have recently signed and plan to make it mandatory for business banking.
BK: Can you say which ones?
MB: Not right now. They’re not big banks, each has about 5,000 to 10,000 business customers. So we’ll kind of experiment with that. But currently we’re not recommending our customers to make it mandatory.
BK: Why not?
MB: Well based on how it goes with these two banks, we may change our approach. The main reason is that we don’t want this to be perceived as something that is being forced on customers. That generates a negative vibe with customers and we really don’t want that. We want to push banks to educate their customers about the problem.
BK: I noticed there were several recent malware samples that attack or disable Rapport. Did you think your software would become a target at some point?
MB: Definitely, that was one of the key assumptions we had: That if we are successful from blocking malware from committing fraud, we’ll become a serious target for criminals. We are seeing targeted attacks coming from serious organized crime that are trying very hard to find ways around our solution.
BK: If I install Rapport and bank at an institution that also uses it on their end, what can I expect?
MB: Our software integrates into the bank’s site and communicates with the [Rapport] software installed on customer machines, and the two of them can work together so that the bank can effectively measure what the software does on the customer’s desktop. Whenever the customer logs into the bank’s site, the bank knows whether Rapport is there, whether it’s up to date, whether its been attacked or compromised.
BK: So your software ships updates, sort of like an anti-virus solution?
MB: We’re basically pushing updates almost on a weekly basis. These are not signature updates, but updates to our security mechanisms to the way the product works.
BK: So you’re fairly confident your software can detect and block most of the attacks we’re seeing from things like the ZeuS Trojan and other sophisticated threats?
MB: With ZeuS we have multiple layers of protection. Obviously, the core technology is to prevent ZeuS from entering the browser in the first place. On top of that, we’ve added a few layers of protection in the last couple of years, so that we prevent ZeuS from being downloaded to the customers’ machines, and we prevent the installation of ZeuS.
But take a look at the main solutions out there to combat these threats — anti-virus software. The detection for things like [the latest, most advanced versions] of ZeuS by anti-virus software dropped from like 50 percent to close to zero, because the [ZeuS author] changed everything so that even after it’s installed, it looks completely different from one computer to another.
That said, our software is not a silver bullet to anything. It’s not going to solve all the problems that the banks and industry have. But we do believe that it adds real value, especially when integrated into a bank’s bigger fraud detection mechanisms.
Trusteer’s product certainly raises the bar for malware writers, and forces them to deploy Rapport-specific attacks to plant malicious software on a user’s PC. Spanish security firm S21sec said recently it had confirmed in lab tests “that ZeuS cannot grab any data in a machine where this software is installed. Unfortunately, the ZeuS guys haven’t just been lazing around; in one of the latest samples of of the Trojan, we have seen how ZeuS, right after infecting a computer, downloads and executes a second file whose purpose is to render useless this software.”
Nevertheless, I think Rapport would be a decent, low-impact addition to the security of any PC user banking online with Windows. But I’m a bit on the fence about recommending this for businesses, mainly because companies that lose money due to stolen online banking credentials are almost always on the hook for those losses. Increasingly, though, victimized businesses end up suing their banks to recover some of the losses, usually arguing that their banks should have done more to detect the fraud.
In these cases, a critical legal question that often arises is whether the thieves compromised the customer’s system or that of the bank’s. I mention this because Trusteer recently built a new component into Rapport called Flashlight, which tries to give partner banks the ability to remotely check to see if their customers’ systems are infected with malicious software. Whether the banks will proactively use that feature to stop online banking fraud is unclear, but such a feature would make it tougher for small and mid-sized businesses that lose money to online bank fraud to claim that their computers weren’t the sole cause of the loss.
Small to mid-sized businesses probably would do better to rely on a Live CD approach on PCs used for online banking. More information on this method is available here and here.