Feeds

Trusteer scraps with analysts over 'bank security bypass'

Building a good Rapport

SANS - Survey on application security programs

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport's anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow "responsible disclosure" guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

"The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport," Neil Kettle of Digit Security told El Reg. "I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X."

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: "With respect to the 'fix' for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn't fix anything, for instance the 'SetWindowHookEx' protections."

Kettle added that Trusteer has yet to even address other aspects of Digit Security's research, including allegations that the firm uses a rudimentary substitution cipher for "keyboard encryption". A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer's technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle's claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer's fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.