If You Can’t Beat Malware, Tunnel Through It

What is your response to the comments Sophos’s Graham Cluley made about research used to promote your software by RBS bank?

Graham was saying something like “the assumptions behind the research are wrong”. Basically RBS replaced that research with another one [the research has been removed by RBS]. It was there for a week or something like that but they took it off and they replaced it with other research which basically says something similar. It’s not a secret that the anti-virus industry has issues dealing with the current rate and sophistication of malware and you can find many reports from many independent groups mentioning that. The fact that RBS had research that Graham didn’t like for about a week doesn’t change the fact that the problem is still there and real.

Rapport appears to have received some positive reactions from the analyst community, but is there a danger the software could become a victim of its own success? The more banks that adopt it, the more it will become part of the landscape and something hackers know they have to contend with. Wouldn’t it be more prudent to have it unbranded and integrated into banking sites so hackers aren’t so aware of it?

There is more in Rapport than most people know about and that is the reason more and more banks are registering for this service. I guess the press, and customers and even security experts such as Graham [Cluley] are only exposed to a certain depth of the Rapport system but the Rapport system is much wider than that. It includes server components that operate at Trusteer … it is a very comprehensive system.

The goal of this system is to eventually prevent fraud. The biggest idea behind Rapport and the biggest change from traditional thinking is that the banks have visibility into security threat on the customer’s desktop and this is the most important part. Up until now if you look at desktop security it is detached from the enterprise of the organisation that experiences the fraud. Up till now end-point security had nothing to do with the banks system and this is the first system that integrates between the bank’s system and the end-point. If someone attacks Rapport or someone attacks the end-point, the bank knows about it and they can associate the attack with a specific customer that is being attacked, and they can take measures on the server side to protect your account.

Does that not throw up some privacy issues with banks being effectively plugged into a customer’s desktop to some degree?

You have the ability when you install the software to decide whether you want to report security incidents to the bank or not. We really don’t see a reason for someone not to report a security event to the bank because that is a clear benefit for the customer. If something is wrong and the account is under attack, the bank can prevent any losses. But it is completely up to the user, whether they want to install it or not and whether they want to approve the information to go to the bank.

It is optional but the way it is offered is slightly intrusive don’t you think? A pop-up appears every time an HSBC customer logs into their online account asking if they wish to download Rapport and there is no “don’t remind me in the future” option.

The way they want to promote the software is up to them. I guess it is based on the way they see the threat and I guess they believe their customers should have that level of protection and that is why they are pushing it quite hard. I also notice that some of the other UK banks that also offer Trusteer are also taking the same approach. So Natwest and RBS, you will basically see the offering every time you log-on if you don’t have it already. You can dismiss it in one click so I guess it is not that intrusive. They just want to put it in front of you as many times as they can so customers that don’t have this kind of protection will eventually be convinced to download.