W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: On-line Bank Auth. Was: Privacy

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Sun, 31 Jul 2011 20:29:52 +0100
Cc: public-identity@w3.org
Message-Id: <28CABEC5-2D55-4ECA-9766-7082170FA056@bbc.co.uk>
To: David Chadwick <d.w.chadwick@kent.ac.uk>

On 31 Jul 2011, at 20:16, David Chadwick wrote:

> 
> 
> On 31/07/2011 19:09, Mo McRoberts wrote:
>> 
>> One “solution” which seems to be gaining traction in the banking
>> sector is Trusteer Rapport, which I'm having real trouble
>> distinguishing from malware.
>> 
> 
> not surprising, since the UK SME that produces it seems to believe more in security through obscurity rather than on using published open, and rigorously validated security protocols and algorithms. When I spoke to one of their directors, he was not willing to reveal anything about how it works

From the various browser crashdumps I've seen over the last couple of days, I was at least able to see that it works by injecting itself into your browser processes and monitoring/intercepting your activity that way (and, according to the crashdumps, it does that badly).

So, yeah — “indistinguishable from malware” does very much seem to apply to the implementation techniques.

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A
Received on Sunday, 31 July 2011 19:30:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 31 July 2011 19:30:16 GMT