twitter facebook rss

Trusteer vs. Minded Security in fighting financial fraud

Posted by on February 16, 2015.

We’re talking financial fraud – malware-instigated theft from your bank account…

This will be sacrilege to many, but I’m no fan of two-factor authentication (2FA). In fact, I think it can be positively dangerous. There are two primary reasons:

  • It’s not all that effective. Once the bad guys have rooted your PC or installed a remote access trojan, there’s not a lot you can do or they can’t do – and that includes defeating 2FA. And if they breach the server and steal your password from there, 2FA can do nothing to help you if you use the same password elsewhere that perhaps doesn’t have 2FA.
  • The hype around 2FA – it’s sold as the silver bullet that will protect you from the bad guys – can lead you into taking less care about your password. Why should you bother with remembering a strong password for all of your accounts when 2FA is keeping you safe?

So the danger is that 2FA doesn’t protect you, but lulls you into taking less care than you would without it. My own view is that a seriously strong password policy is probably better than any 2FA.

The problem remains, however, that a keylogger can steal your password and bank details and send them to the bad guys. But this is tricky, because the banks’ own anti-fraud system will see that you have suddenly demanded a withdrawal via a strange computer in South America and will flag it.

That leaves the man-in-the-browser (web-inject) malware as the most dangerous threat to your banking security. This malware effectively sits inside your browser and interferes with what you send to the bank and what the bank sends to you. It allows you to log into your bank account, but changes your instructions to those of its own. So you might instigate and see a transfer from your active account to your savings account; but your bank sees an instruction to send money to a new bad guy’s account that will probably only be there very briefly.

Man-in-the-browser attacks are one of the biggest causes of banking fraud. And the best-known defence against that is probably Trusteer‘s Rapport (Trusteer is now a part of IBM). But Trusteer had best look to its laurels, because it has a new rival: Minded Security‘s AMT. The biggest difference between the two is, to my mind, friction. Rapport has it while AMT does not.

Friction is the force that powers inertia. Inertia is the force that stops us doing anything. One of the things we don’t do is install security software on our own devices – even when it’s free. Many of us simply do not wish – or cannot be bothered – to install Rapport. That’s friction. Rapport could be forced upon us, of course, if the banks made it a condition of us doing business with them – but the banks don’t like telling their customers what to do in case it drives them somewhere else. More friction.

And then there’s the biggest friction of all: paragraph #2 of the Rapport EULA. It reads:

2. In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise’s data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction. IBM does not use the Program to target collection of Your personal information. Nevertheless, the information collected could contain personally identifiable information that has been obtained by the malware without Your permission or is relevant to identifying malicious activity or addressing general Program malfunction. IBM will delete any collected information, including personal information of which we become aware, that is not relevant for the purposes described above and will retain other information only for the duration of the relevant analysis. To avoid accidentally retaining data longer than necessary, IBM reviews all retained files for relevance once every three months.
[emphasis is mine]

Now I may be paranoid, but I simply do not want some third party big conglomerate collecting information from my computer. You can be certain that if IBM has it, then the NSA can have it; and if the NSA can have it, then GCHQ can get it.

Nor do I accept the pathetic arguments of government that if I don’t do anything wrong, then I have nothing to fear about government surveillance. Who defines ‘wrong’ in these circumstances? I quite openly believe that David Cameron is the most dangerous politician in my living memory (goes back to Harold Wilson) because of the way he is selling our liberty to big business and cementing a police state to enforce it. With every new business protection that fucks the people (fracking, Big Pharma, businesses avoiding and evading taxes, benefit reductions to pay for lower taxes for the higher paid) I am getting more and more angry. Does that make me subversive? Am I a potential terrorist because that anger might tip over into some form of political activity? Do I deserve closer scrutiny as a potential terrorist?

So, to put it bluntly, Rapport comes with so much friction that I simply will not install it on my computer.

Minded Security’s AMT has no friction. The customer is the bank – and nothing is installed on the user’s computer. AMT takes a completely different approach. When the user logs into his or her bank account, AMT script is sent to the user’s browser. Having also just delivered the web page, the script knows what the browser should look like. The script examines the browser and compares what it finds to what it should find. It can see if there is something happening that should not be happening – if malware has injected something new. If it sees anything untoward, it communicates details to the AMT cloud infrastructure – which the bank can watch continuously. The bank sees the risk, and acts in accordance with its own policies.

click for full size

The effect of this approach is threefold:

  1. there is no agent to install on the user’s computer
  2. there is no load on nor extra infrastructure to install at the bank client’s end, irrespective of how many customers that bank is supporting
  3. and, perhaps most importantly, the solution doesn’t require knowledge of what malware is installed – it detects known and unknown zero-day man-in-the-browser attacks with equal facility.
Marco Morana, MD Minded Security UK

Marco Morana, MD Minded Security UK

A side effect of checking the browser is that AMT can also detect other malware. “Everytime a user logs on to the protected online service,” such as a bank, Marco Morana Managing Director of Minded Security UK told me, “AMT understands if the PC is infected. The technology looks inside the browser to find adware, spyware and web inject malware.” In fact, the statistical returns to the AMT cloud infrastructure show that 5% of all of its bank customer’s users are infected with one or other of these threats.

(Just as an aside, if you get an email purporting to come from Minded Security and claiming that you have an infection, do not respond to it. Minded Security will not notify you. Its client is the bank, not you. So if you do get such an email, you can be sure that someone is phishing you.)

Don’t get me wrong – Rapport is pretty good; but comes with baggage. AMT is also pretty good – but comes with less baggage. The bottom line is that the incumbent Rapport now has a serious competitor in Minded Security’s AMT in fighting web-inject financial fraud.

3 thoughts on “Trusteer vs. Minded Security in fighting financial fraud

  1. Jeff Anderson on said:

    Interesting article. You are correct that Rapport has a certain amount of difficulty getting end-users to install it – even when it’s free. In my organization, we employ IBM Trusteer Rapport and IBM Trusteer PinPoint, which are both good products, but come at the problem from different angles. PinPoint and Minded are both using the same technique, which is quite effective at identifying and stopping connections to online banking when financial malware is installed on the client device. Great, we’ve just mitigated potential fraud losses. Rapport though, also allows the end-user to be notified their client device has/had malware installed, and remove it proactively and automatically, (but only if it’s installed). And that brings us back to friction. Trusteer Rapport isn’t perfect, but it’s one more tool in the tool belt, and it eliminates the financial barrier to entry for some clients. Thanks again for the article, I’m going to go check out Minded. Cheers.

  2. Thanks for this article. My bank has just issued new ts and cs that “sort of” require the use of Trusteer, which I have purposefully ignored in the past despite constant “suggestions” of downloading it when I go to log in. To answer Peter, I’m in exactly that position – they obviously don’t use Minded Security…but I’m with Kevin on the “just because I’m paranoid, doesn’t mean they aren’t watching me” idea. With TTIP and worse, the idea of big business having easy access to my stuff isn’t acceptable.

  3. OK so Minded Security is possibly a technically superior alternative to Trusteer; nothing on my PC – the bank being the customer and all that. How do I know my bank is a Minded Security customer and possibly worse, what if I know it is not. A security feature that relies on maybe another party having done something or not doesn’t sound very reassuring to protect my PC.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_cloud, News_malware | Tags: , , ,