IT pros, particularly those whose job focuses on information security, often walk a fine line when working with end users. On one hand, they must restrain employees’ occasionally unsafe online behaviors. On the other hand, IT pros must protect those same employees from online hazards, whether their behavior is safe or not.
These days, many online activities pose the threat of financial loss -- none more so than online banking. In fact, many organizations are using online banking services in the midst of legions of sophisticated phishing attacks. That’s why US banks lost twice as much in 2010 ($70M) to online bank fraud as they did to old-fashioned bank robberies ($35M, both numbers from the IC3 2010 Annual Internet Crime Report, compiled by the FBI and the National White Collar Crime Center).
A tool to fight phishing
Most experts agree that what is needed to counter online bank fraud is a combination of end-user software and instruction that focuses on how to recognize phishing attacks. But neither the major Web browsers -- including Internet Explorer, Firefox, Chrome, Opera and Safari -- nor the major Internet security suites -- including Symantec Endpoint Security and McAfee Enterprise Security -- provide complete protection against phishing attacks.
One company, called Trusteer, specializes in building online banking security software. This includes Trusteer’s client-based Rapport software, which works as a browser plug-in with major browsers and locks down the runtime environment to actively forestall any phishing activities. Users can also access the management console, which supports policy-based deployment of Rapport for those who belong to an online banking group.
Rapport’s advanced monitoring capabilities also improve the end-user experience. Some anti-phishing software only look at specific Windows directories, dynamic link libraries (DLLs) and registry entries to sniff out signs of attacks. However, Rapport combines this heuristics approach with monitoring attempts to access user account information, including account names, passwords, challenge-response exchanges and other sensitive account-related data.
On the server side, Trusteer also provides Web server software components that help secure client-server communications between users and bank servers when users log in to conduct online banking activity. This helps to prevent possible “man-in-the-middle” attacks against active online banking sessions.
In addition, Trusteer builds software monitors into its client and server software components that report on possible signs of attack or phishing behavior so that it can keep tabs on emerging and active attacks in the wild. This enables Trusteer to provide appropriate countermeasures and threat advisories to its customer base as such things appear and spread.
To that end, here are some key features of the client-side Trusteer Rapport software that protects Web browsers and the end-user PCs on which it runs:
- When Rapport is running it disables screen scraping, including any kind of screen capture software, such as the Windows Snipping Tool or SnagIt. It then cuts-and-pastes activities from the browser into other Windows applications. This prevents graphical or textual capture of customer data -- techniques widely used when keyloggers or other covert data capture is employed to harvest end-user account information and credentials.
- Rapport notes the location of all account and password information on an end-user PC as it gets used for log-ins, or to respond to challenge-response queries. It also reports when software programs of any kind attempt to access this information.
- Rapport inserts a local encryption facility between the browser process and the operating system so that keyboard characters do not get stored in software buffers as plain text when users enter keystrokes. They are immediately encrypted and only decrypted when passed to secure sockets and transported across the Internet. This effectively defeats any keylogging software that might be installed on an end-user PC.
Rapport also creates a “safe tunnel” between itself and banking servers. This is valuable for software components that are also available on the server side of a client-server link to a bank or financial institution that has licensed Trusteer technology. The server-side components provide strong authentication for servers and clients so that phishing sites that seek to impersonate protected banking or financial institutions cannot “fool” the client into passing any kind of sensitive data into their clutches.
The company gives the Rapport component away for free to anyone who wishes to use it, but charges financial institutions to license its server components and give away its client software.
- Rapport blocks attacks from malware kits that include Zeus, Torpig and Silent Banker, among others.
- Trusteer works 24/7 to detect and respond to new threats as they emerge. All of its software components update themselves automatically so that as new protection becomes available it can be immediately distributed into the field.
The downside to using Rapport is that it locks user’s desktops down quite thoroughly when a protected browser is up and running. That’s probably why Trusteer’s support organization recommends that IT set up separate accounts for employees to use specifically for online banking.
For all other activities, end users should be instructed to log into their usual accounts. Since most security experts recommend that online banking only be conducted on special hardened PCs reserved for such use, this approach represents a reasonable compromise that enables users to stay on their familiar equipment, and switch over to a special account for as long as they’re engaged in online banking or financial activity.
ABOUT THE AUTHOR
Ed Tittel is a longtime computer industry writer with over 100 computer books and thousands of articles to his credit. His most recent security book is Computer Forensics JumpStart (Sybex, 2011, ISBN-13: 978-0470931660). Read his IT Career JumpStart and Windows Enterprise Desktop blogs for TechTarget, too, and his weekly posts for PearsonITCertification.com.
This was first published in April 2011