In recent months I have come across several instances of Trusteer Rapport being installed on home computers on the advise of their Banks. Initially RBS and latterly HSBC as well.
At issue is whether this piece of software should be installed on any computer.
While it promises an extra layer of protection against phishing exploits it does create problems.
Many computers slow to a virtual halt if they are not very powerful. Even on powerful machines there is clear evidence of a deterioration in performance. On machines where people have chosen not to have passwords remembered by their browser for log ins to secure sites eg Hotmail, Yahoo Mail. Gmail as well as other https: connections it results in failures to log in.
This is because of the software shielding the keys being used for entering the passwords from any key logger on the computer by using its own encryption algorithm to enter onto the form you are completing. Problem has been noted with Firefox 3.6 with the AVG security toolbar installed. Many of the anti-virus programs actually recognise this as a key logger exploit and try and prevent it from happening, for example Kaspersky (the no 1 anti-virus software of the moment). While Trusteer claim on their Website that this software will make you safe even if there is pre-existing malware on your computer, this claim is in all probability fallacious.
While the niggling issues like not being able to log in to your e-mail account can probably be solved by configuring the software to ignore those accounts, this is beyond the ability of the vast majority of home computer users.
The only reason that phishing exploits are possible is that Banks have failed to develop sound and secure systems themselves. For example being able to log in through a Web browser is an accident waiting to happen. Why have the banks not set up their systems in such a way that they issue the customer with a dongle and software that can only connect to their sites via an ever changing ssh key algorithm on the dongle?
The real issue is that the Banks have not chosen to give you secure systems for Internet Banking, yet it is quite within their power to do so!
No Bank in the World can pass a full security audit of their IT systems. Yet they have put the onus on their customers to keep secure what they are not!
Just consider the Banking executive who takes his laptop home to work and brings it back the next day plugging in to the Internal network … does the laptop have a full security audit before being allowed in, or are they simply relying on some software to ensure there are no root kits installed in the intervening time. Yes it is improbable but not impossible to compromise the Banks system through a roaming laptop.