Feeds

Trusteer scraps with analysts over 'bank security bypass'

Building a good Rapport

Secure remote control for conventional and virtual desktops

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer's online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport's anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow "responsible disclosure" guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

"The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport," Neil Kettle of Digit Security told El Reg. "I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X."

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: "With respect to the 'fix' for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn't fix anything, for instance the 'SetWindowHookEx' protections."

Kettle added that Trusteer has yet to even address other aspects of Digit Security's research, including allegations that the firm uses a rudimentary substitution cipher for "keyboard encryption". A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer's technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle's claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer's fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.