Feeds

Trusteer scraps with analysts over 'bank security bypass'

Building a good Rapport

Choosing a cloud hosting partner with confidence

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport's anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow "responsible disclosure" guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

"The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport," Neil Kettle of Digit Security told El Reg. "I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X."

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: "With respect to the 'fix' for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn't fix anything, for instance the 'SetWindowHookEx' protections."

Kettle added that Trusteer has yet to even address other aspects of Digit Security's research, including allegations that the firm uses a rudimentary substitution cipher for "keyboard encryption". A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer's technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle's claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer's fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.