If You Can’t Beat Malware, Tunnel Through It

As a banking security expert, what is your opinion of HSBC’s decision to allow its customers to save their log-in ID in their browser [also criticised by Cluley]?

I think it has always been there as far as I know. It has nothing to do with Trusteer or Rapport. I think it is more of a user experience, convenience issue … it’s definitely not something they did because of Rapport. Our software is optional for their customers so is no reason to change the way their application works because of Rapport.

HSBC contends that they allow users to save their ID as the risk of key-logging software is higher than the risk that someone will be able to access your home computer without your permission. But interestingly, cutting the risk of key-logging is one of the things that Trusteer claims Rapport does well?

Basically I think each bank has its threat analysis they are running. As you probably know the banks are very sensitive to fraud so they do have things in place and they do know exactly where fraud is coming from with regard to their customers. I don’t have any positive information on that but I am sure any decisions they make are backed up by their threat analysis and they will not do anything that exposes the bank to additional fraud losses. If the customer experiences fraud then in most cases the bank would pay for that, so I really see no need for them to increase their exposure unless it is a very calculated risk and they know what they are doing.

I suppose that they also have to weigh the cost in terms of helpdesk hours of forgotten ID numbers against that? Saving IDs cuts down on the number of people you have to have in your call centre responding to those kind of inquiries? Would you feel comfortable having your ID saved locally like that? Other security experts wouldn’t.

Our expertise is financial malware which is one of the biggest threats to online banking today. From a financial malware perspective it doesn’t really matter if the user is saving the user ID or not. Once the financial malware gains access to the customer’s computer, it can read the information regardless of whether it has been saved or not. If banks do see the threat and losses increasing from this kind of behaviour then they will change it. There is no reason to do things that will increase the amount of money they lose from fraud.

What is your relationship with browser companies? Is the natural evolution for Rapport to be integrated directly into the next version of Firefox or Internet Explorer to improve the online banking experience?

Rapport plugs into your computer in various places. It plugs into the operating system, the browser. But it’s not just a browser component, it is more than that. We would be more than happy to work with any browser vendor that wants to enhance the default security that is included in the browser. It is in our customers’ best interests to have wider distribution of the software and to have it included in browsers and operating systems as it helps the banks with the distribution process.

Page: 1 2 3

Andrew Donoghue

View Comments

  • How about putting the VPN and IP stack on an embedded device. If they can't write to it, then they can't hack it. And seeing as Rapport is just another Windows proccess it's just as vunerable as any other prog.

  • Thanks for that. We'd like to hear from anyone who's used Rapport and what their experiences have been?

  • these days, surely they can make a calulator sized device that can connect to the bank using a customers wireless connection and allow a customer to do transactions without involving their malware ridden desktop pc - is there anyone owning a pc anymore who DOESNT have malware ? ive not seen a pc that works reliably in a long time.

Recent Posts

CMA Halts Google Anthropic Investigation

British competition watchdog decides Alphabet's partnership with AI startup Anthropic does not qualify for investigation

2 days ago

Germany “Deeply Concerned” After Damage To Two Undersea Cables

Possible sabotage? Two undersea cables in the Baltic sea have been severely damaged, triggering security…

2 days ago

Perplexity Adds Shopping Features To AI Search

Perplexity adds shopping features to generative AI-powered search as it faces more direct competition from…

3 days ago

Trump Social Media Company In Talks To Buy Crypto Firm Bakkt

Donald Trump social media company in advanced talks to buy Bakkt, a crypto trading platform…

3 days ago