In case you haven’t been notified, the e-mail marketing provider Epsilon Data Management got hacked and tons of email addresses and names were stolen. Clients include major companies like Chase, Capital One, Best Buy, Target, and more. While the data breach is not enough for identity theft, the fear is that they will use these emails to target phishing scams since they know what merchants you are comfortable dealing with.
While logging into my Bank of America account this weekend, I saw that they recommended me to download and install a free software program called Trusteer Rapport, which supposedly provided “online fraud protection”. Of course, as I click over, they also point out that:
So, basically, “hey, you should install this unknown software program to protect against other unknown software programs, but we don’t officially endorse it, and it’s not our fault if it doesn’t work or actually causes even more damage than doing nothing.” Huh?
First, I looked up Trusteer, a privately held computer security firm. There are numerous articles about Trusteer in various IT security magazines that I’m loosely familiar with, so that gave them some legitimacy. However, they are a new company (first mention is 2009) and unaffiliated with any other well-known security firms. Several other major banks besides Bank of America have “suggested” that people install Rapport, including Capital One 360, HSBC, and Suntrust.
How does Trusteer Rapport work? According to their FAQ:
- Rapport verifies that you are really connected to the bank’s genuine website as opposed to a fake website created by criminals. Although this sounds trivial, it’s not obvious that you reach a genuine website when you type your bank’s address into your web browser
- Once verification is complete, Rapport locks down communication between your computer and the bank’s website. This prevents criminals from hijacking your online connection with the bank
- Rapport protects your computer and internet connection by creating a tunnel for safe communication with your bank, preventing criminals from using malware to steal your log-in data and tamper with transactions
So, they try to stop things like fake websites and keyloggers. Also of interest is the fact that they work closely with the banks themselves to customize the software to each site:
Rapport’s access control policies are set by your bank. Banks that work with Trusteer build and maintain policies that define which information is sensitive and which operations on this information should be restricted.
So what’s with the non-endorsement? BofA says it’s because they already reimburse you for fraudulent losses. From the NYT Bucks Blog:
Using the Rapport software isn’t mandatory for Bank of America customers, Mr. Gordon said, in part because the bank already protects account holders from losses if their account is compromised. But it is advisable, he said, because malicious software programs can also steal sensitive nonfinancial information, which can be used in identity theft. “One of the goals of malware is to go gather information,” he said.
Some users of the of the software have noted that it slows down your system. Trusteer counters that it’s most likely due to your other security software conflicting with what Rapport is trying to do. Well, that sounds like a couple hours of fun troubleshooting. I dislike installing additional software unless necessary, so I think I’ll hold off for now. Prediction: Trusteer will be acquired by a large branded security firm in the near future.