RBS and HSBC using Rapport any advice or opinions?

[Ian Batten]

On 28 Oct 10, at 0727, Peter Sommer wrote:

> I found it pretty kludgy - on the XP system where I had it installed it left a whole series of processes which didn't close down properly when I went through a regular close down of XP itself - a succession of windows appeared and you had to terminate the processes manually.
> 
> In terms of your liability if you don't use it - you have an obligation to exercise reasonable care but it is not for the banks to tell you how specifically to exercise it,  particularly as I strongly suspect that Rapport themselves are not guaranteeing either to you or the bank that if you deploy its product they will in all circumstances make good any loss you incure through fraud.

The bank certainly aren't.


> We have worked with the financial security experts at Trusteer to offer Rapport to our customers, free of charge. In October 2008, Online Banking Report called Rapport “…a major boost in fraud prevention…’.
> 
> Important information - The Bank accepts no liability for the set up, provision or use of software provided by third party providers.

It's not at all clear from the vendor's website what the code does in detail. But it strikes me that it's hard to reduce the size of the TCB involved in a banking transaction, and without using a TPM or another trusted boot technology it's hard to assess whether that TCB has been modified.  Having one set of user-space processes running on a platform that audit the behaviour of another set of user-space processes (and by user-space I actually include loadable kernel modules) is an endless regress of layer X sub n monitoring layer X sub n-1, and ultimately can't provide serious assurance.  

ian