Feeds

Trusteer scraps with analysts over 'bank security bypass'

Building a good Rapport

Securing Web Applications Made Simple and Scalable

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport's anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow "responsible disclosure" guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

"The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport," Neil Kettle of Digit Security told El Reg. "I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X."

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: "With respect to the 'fix' for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn't fix anything, for instance the 'SetWindowHookEx' protections."

Kettle added that Trusteer has yet to even address other aspects of Digit Security's research, including allegations that the firm uses a rudimentary substitution cipher for "keyboard encryption". A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer's technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle's claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer's fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.