Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Trusteer Rapport - install of not?

P

polyphenol

macrumors 68020
Original poster
Sep 9, 2020
2,134
2,609
Wales
Every time I visit my UK bank's website, they implore me to install Trusteer Rapport.

So far, I have dismissed any thought of doing so. But that is because I've seen too many things like this which make grand claims yet do nothing or even make things worse. (Not necessarily worse security, but cause problems, especially after operating system and browser updates when issues with Rapport have not yet been identified and resolved.)

Does any have any solid evidence to base my decision on? Either way!

I did look over previous posts but it doesn't seem to have been discussed in the last year or more. And I maintain both my macs very close to latest releases and updates - a few days, a week or two at most, after release.


1729418213520.png
 
P

polyphenol

macrumors 68020
Original poster
Sep 9, 2020
2,134
2,609
Wales
wordsworth said:
You may or may not find the opinions here interesting:

https://forums.moneysavingexpert.com/discussion/3248828/trusteer-rapport
Click to expand...
I did find it interesting. Thank you.

Of course, much of that was Windows.

But I do not see how it can do what it claims to do. If every keystroke is encrypted as it is made, it needs to run ON my keyboard before it gets sent by Bluetooth to my machine. Otherwise it cannot protect me from anything that breaks into Bluetooth.

I can't help but conclude that if a security hole is discovered in macOS, then Apple will fix it. We have seen them act extremely quickly on occasion. If a security hole is discovered in Rapport, those of us who have never used it have no history of them issuing fixes - quickly or slowly.

And I imagine Trusteer is very much more focussed on Chrome and whatever MS call their browser these days on Windows than Firefox on macOS.

Wiki says:

Some banks which had offered the software discontinued offering it. For instance, NatWest and RBS withdrew use in January 2019, stating that "The security and fraud prevention technologies we now use provide you a higher and far broader level of protection.
Click to expand...

AND:

On installation, Rapport also tries to remove existing financial malware from end-user machines and to prevent future infections.
Click to expand...

I do NOT like the look of something that performs any sort of software removal while it is being installed.

I'll continue avoiding it unless someone comes up with a good reason to use it.
 
FreakinEurekan

FreakinEurekan

macrumors 604
Sep 8, 2011
6,539
3,417
On the one hand, it's apparently under the IBM software umbrella - so probably pretty trustworthy.

On the other hand, I'm not seeing a lot of banks requiring it (at least in USA). I have bank & credit card accounts with Citi, Discover, Chase, Barclay, Synchrony, Goldman, ETrade, Optum, and more - not a one of them are "Recommending" much less requiring this. If normal browser security is good enough for all those companies ¯\_(ツ)_/¯ it's good enough for me.
 
  • Like
Reactions: polyphenol
Alameda

Alameda

macrumors 65816
Jun 22, 2012
1,270
866
polyphenol said:
I did find it interesting. Thank you.

Of course, much of that was Windows.

But I do not see how it can do what it claims to do. If every keystroke is encrypted as it is made, it needs to run ON my keyboard before it gets sent by Bluetooth to my machine. Otherwise it cannot protect me from anything that breaks into Bluetooth.

I can't help but conclude that if a security hole is discovered in macOS, then Apple will fix it. We have seen them act extremely quickly on occasion. If a security hole is discovered in Rapport, those of us who have never used it have no history of them issuing fixes - quickly or slowly.

And I imagine Trusteer is very much more focussed on Chrome and whatever MS call their browser these days on Windows than Firefox on macOS.

Wiki says:



AND:



I do NOT like the look of something that performs any sort of software removal while it is being installed.

I'll continue avoiding it unless someone comes up with a good reason to use it.
Click to expand...
I don’t see how it can encrypt each keystroke as it’s made. A keystroke is 16 bits. The AES encryption standard works on chunks of 128 bits.
 
  • Like
Reactions: polyphenol
P

polyphenol

macrumors 68020
Original poster
Sep 9, 2020
2,134
2,609
Wales
Alameda said:
I don’t see how it can encrypt each keystroke as it’s made. A keystroke is 16 bits. The AES encryption standard works on chunks of 128 bits.
Click to expand...
Couldn't it just add 112 bits (probably all zero) for the purposes on encryption? And remove after decrypt.
 
Alameda

Alameda

macrumors 65816
Jun 22, 2012
1,270
866
polyphenol said:
Couldn't it just add 112 bits (probably all zero) for the purposes on encryption? And remove after decrypt.
Click to expand...
It could use a true random number generator to pad the 112 bits, but it cannot remove them until decrypted. And you could use a hash which updates a counter, like AES-CTR, but now you've made the output far larger than the input.

And what are you supposed to do with this encrypted input anyway? They're basically saying that the memory buffer that holds their AES key is more secure from attack than the memory buffer which holds keyboard input. I don't know... the banks that approve this software probably do have security experts who have a better understanding of how it protects your data and they presumably believe that it does.

When I read IBM's description of what the software does, it doesn't mention keystroke-by-keystroke encryption. It says it's malware and phishing prevention software.
 
Last edited:
  • Like
Reactions: chown33
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom