I’m working on a book on phishing and online financial fraud right now. It’s called Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. (You can read snippets about drive-by downloads and the historical roots of phishing at the sponsor’s Web site, KnowBe4.com). In researching material for the book I came across an interesting browser add-in from a banking security services company named Trusteer. This software is named Rapport, and it adds a great deal to Web browser security to block and fend off potential phishing attacks, and to improve online security for banking and other finanical transactions online.
According to the Trusteer site banner, Rapport has already been downloaded over 18 million times. The company also states that its primary means for distributing Rapport is via banks that license the software, and then extend it to their customers to help secure their online banking activities. According to their company overview, their customer list includes some names to reckon with, such as ING DIRECT, The Royal Bank of Scotland, CIBC, and “other leading online banks, brokerages, and internet companies.” Further investigation reveals that executive staff all come bearing lengthy, impressive, and impeccable information and financial security credentials, and presumably have an excellent understanding of information security tools, techniques, and requirements.
“That’s the stuff!” I thought to myself as I read over all this material. “I’m going to download this puppy and try it out for myself.” (Even though many users do get Rapport from a bank or brokerage, Trusteer also makes it available as a free download to anyone who’s interested.) What happened to me next is a straightforward but probably unintended consequence of locking down my IE to prevent phishing attacks from proceeding or succeeding.
As soon as I got the software installed, I went to shoot a screen capture of the tool at work. I turned first to the handy-dandy Windows Snipping Tool (part of Vista and Windows 7, it lets you grab whole screens or rectangular regions on-screen of your choosing). As soon as I opened the capture utility, both of my screens went completely gray–not just the browser window I had open, but the entire desktop. “Oops!” thought I to myself “Snipping Tool is not allowed; let’s try Corel Photo Shop Pro.” Same result. “OK, then, what about SnagIt?” No dice. Solid gray desktop every time, until I Alt-Tabbed into the capture utility and turned it off.
For somebody like me who writes about browser and security technology at work, it’s not acceptable to turn off my ability to capture screens in the name of security. I understand this happens because the software makers don’t want users to be able to make graphical grabs of sensitive data that they can’t actually capture in other ways.
This tells me two important things:
1. It reminds me of the old security dictum that if you make a system too secure, or too hard to use in the process of securing it, nobody will use the system (or more probably, nobody will use the software that has such a chilling effect.) I’m not using that software on my production desktop because it gets in the way of getting my work done.
2. It also reminds me that security experts recommend dedicating a system solely for the purpose of doing online financial stuff, so it can be hardened and present only a minimal attack surface. I’m not sure that’s necessary in my particular case, though it surely makes sense for companies with huge balances on deposit and in various accounts. What I’m going to do next to work further with this software myself strikes what I hope will be a happy interim between “don’t use it” and “live with its limitations.” I’m going to set up a VM and install Rapport inside that VM. And from now on, I’ll do all my e-banking and online financial stuff inside that VM and live with Rapport’s limitations within that runtime context.
It may not exactly be “the best of both worlds,” but it should be a workable compromise. As I have the chance to test Rapport’s other lockdowns and limitations more thoroughly, I’ll report on them back here.