If You Can’t Beat Malware, Tunnel Through It

Andrew Donoghue,

Trusteer’s methods of tackling malware have seen it clash with other established security specialists. The company’s CEO Mickey Boodaei answers the critics

As a banking security expert, what is your opinion of HSBC’s decision to allow its customers to save their log-in ID in their browser [also criticised by Cluley]?

I think it has always been there as far as I know. It has nothing to do with Trusteer or Rapport. I think it is more of a user experience, convenience issue … it’s definitely not something they did because of Rapport. Our software is optional for their customers so is no reason to change the way their application works because of Rapport.

HSBC contends that they allow users to save their ID as the risk of key-logging software is higher than the risk that someone will be able to access your home computer without your permission. But interestingly, cutting the risk of key-logging is one of the things that Trusteer claims Rapport does well?

Basically I think each bank has its threat analysis they are running. As you probably know the banks are very sensitive to fraud so they do have things in place and they do know exactly where fraud is coming from with regard to their customers. I don’t have any positive information on that but I am sure any decisions they make are backed up by their threat analysis and they will not do anything that exposes the bank to additional fraud losses. If the customer experiences fraud then in most cases the bank would pay for that, so I really see no need for them to increase their exposure unless it is a very calculated risk and they know what they are doing.

I suppose that they also have to weigh the cost in terms of helpdesk hours of forgotten ID numbers against that? Saving IDs cuts down on the number of people you have to have in your call centre responding to those kind of inquiries? Would you feel comfortable having your ID saved locally like that? Other security experts wouldn’t.

Our expertise is financial malware which is one of the biggest threats to online banking today. From a financial malware perspective it doesn’t really matter if the user is saving the user ID or not. Once the financial malware gains access to the customer’s computer, it can read the information regardless of whether it has been saved or not. If banks do see the threat and losses increasing from this kind of behaviour then they will change it. There is no reason to do things that will increase the amount of money they lose from fraud.

What is your relationship with browser companies? Is the natural evolution for Rapport to be integrated directly into the next version of Firefox or Internet Explorer to improve the online banking experience?

Rapport plugs into your computer in various places. It plugs into the operating system, the browser. But it’s not just a browser component, it is more than that. We would be more than happy to work with any browser vendor that wants to enhance the default security that is included in the browser. It is in our customers’ best interests to have wider distribution of the software and to have it included in browsers and operating systems as it helps the banks with the distribution process.