Feeds

Trusteer scraps with analysts over 'bank security bypass'

Building a good Rapport

Using blade systems to cut costs and sharpen efficiencies

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport's anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow "responsible disclosure" guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

"The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport," Neil Kettle of Digit Security told El Reg. "I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X."

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: "With respect to the 'fix' for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn't fix anything, for instance the 'SetWindowHookEx' protections."

Kettle added that Trusteer has yet to even address other aspects of Digit Security's research, including allegations that the firm uses a rudimentary substitution cipher for "keyboard encryption". A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer's technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle's claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer's fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.