Snake oil: legitimate vendors sell it too

By John Viega
December 18, 2008 | Comments: 9

Traditionally when security experts talk about snake oil products (i.e., security products that don't actually offer any security), they are usually only brave enough to call out products from dubious companies that make claims that are obviously false... almost always around cryptography. Few people call out venture-backed companies with well-known people on the management team.

Partially, this is because with most products, it's not so clear cut whether they are crapware. That is, the company's marketing department can always find someone happy with the product, and so it turns into a battle of credibility and opinion. The technical merits become secondary. A more common issue is that products do something to help, but they're not as awesome as their vendor would have you believe.

At the end of the day, if we say snake oil products are ones that don't do what the marketing leads the customer to believe it does, then many reputable security companies peddle snake oil.

For example, consider the company Trusteer. They're backed by the firm US Venture Partners. They have some seasoned veterans on their team, and some smart people. Plus, they have one big customer, Ing Direct, whom I'll assume is happy with them.

Trusteer's product is snake oil.

Their marketing claims that their product Rapport, "... protects login credentials and transactions, from desktop to Website, even if a computer is infected with malware." When I first heard this claim, I heard it directly from their President's mouth when he was explaining to me what they do (incidentally, I thought he was a good guy who genuinely believed in the marketing). I asked, "is this even going to work when malware writers start targeting your software?" He said "yes", that their technique will protect your personal info, no matter what infection is on your machine.

While there are a few ways you could make claims like that and have it be defensible, the solution they explained to me didn't sound like it would do that job. Basically, they put their code on your machine, and it obfuscates stuff. A determined attacker should eventually be able to figure out what that code is doing, and undo it or disable it.

The only way I can imagine them defending their technical claims is for them to say, "well, we sit in the kernel, and malware can't touch us if running with regular user privileges". But, in reality, there is plenty of malware that gets inside the kernel. Often, the bad guy just tricks the user into installing something with administrative privileges.

A few days ago, a friend sent me a link with a video where they show custom malware that has no problem defeating Trusteer's protection. The product does not do what the company claims.

If I were Trusteer, I'd counter this claim of snake oil by saying, "well, we never expected people to think it works all the time, just that it works most of the time". I wonder if Ing Direct knew that when they started offering their product. Because now, Ing Direct is going to its banking customers with a product that makes people feel like they don't have to worry about whether they're infected anymore. Why pay for AV, when the only thing you were worried about is identity theft?

Even if their marketing claims reflected the reality of their technology, I think it promotes a false sense of security. In short, trusting this product to do the job it claims to do only puts you at risk, particularly because it's not a huge stretch to think that, if you're going to get infected, it could easily be by something that can disable Trusteer's product. In fact, if enough people are using Trusteer's product, then that kind of malware would certainly get pretty common.

But, I suppose that, if you do understand the risks, it is better than nothing. Certainly, if you think you have a good chance of being infected, you shouldn't do online banking at all, you should worry about the infection. But if you don't think you are, then this product could actually help some of the time, when it turns out you actually were infected.

As you can see, the line between snake oil and a legitimate product is often a marketing claim. As a general rule of thumb, security companies want to make you think you're as secure as possible. Many of them are happy to lead you to believe that you're more secure than you actually are, which could end up putting you in a bad situation.

Therefore, it's generally worth doing your homework on security products you buy, to make sure you have at least a high-level understanding of the technical merits, and the drawbacks.


You might also be interested in:

9 Comments

John,

While you claim you spoke with me and even quote me, I've never met you and you're apparently confusing me with someone else. If we spoke I would have told you that our strategy against attacks that try to disable or damage the service is to detect and react. There are various detection and reaction mechanisms operated by both Trusteer and the subscribing banks. Trusteer monitors attempts to disable our service and we react by silently deploying additional self-protection defenses. We do this only when these attacks are confirmed to be actually in the wild, threatening real customers. A second defense is to alert the subscribing website that a user's copy of the software may have been tampered with, so that the bank may react to a possible credential theft. Your video doesn't contradict any of our claims.

An objective and reputable member of the media or the journalist community would contact a vendor for comment before publishing a story based on a dubious video. Your readers should be aware that you are the CEO of a security vendor that tried to compete with Trusteer. Anyone with any sense of ethics would have disclosed that to their readers. I'm surprised that O'Reilly would allow you a forum to make an unsubstantiated attack on a competitor.

There are too many inaccuracies in your report and you obviously haven't read or chose to ignore how banks communicate Trusteer to their customers. Rest assured that banks are far more professional than you have suggested. They have tested Trusteer's service much more thoroughly than you suggested. They are familiar with the Trusteer service architecture, which is much more sophisticated than you assume.

The fact that the tester had to look for ways to disable the service before being able to run malware proves that the solution works and adds real value. The fact that you weren't aware of and haven't been able to detect our early warning signals against tampering proves that the solution works on a much greater scale. This is why 10 different financial institutions are already using this service successfully. While no solution is bullet proof and we keep improving, Trusteer has managed in a very short time to change the approach to desktop security. The various vendors that follow us with similar solutions are the ultimate validation to this approach.


Thank you
Mickey Boodaei
CEO
Trusteer

  • - I meant President... I spoke with Rakesh at length at RSA last year. Sorry about that.
  • - This is a blog, not any sort of journal publication. I'm not a reporter writing articles.
  • - My company makes anti-virus software. It does not nor has it ever done anything that tries to secure e-commerce transactions in an untrusted environment. Nor do I expect to go after anything like that in the forseeable future. However, I will be happy to tell people how this COULD be done, in a way that actually has some reasonable security guarantees. Look for it in a blog post this week.
  • - I've read the ING Direct site, they don't really say much other than to point people at your site, which has the misleading marketing.
  • - If you read carefully, I say the approach is better than nothing, if people really understand what it does, instead of believing the marketing claims.
  • - The more widespread your solution becomes, the less effective it will become, because more people will explicitly target it. You will be in the middle of an arms race that will give you no real differentiator over the anti-virus package the end consumer is already running.

I updated the article to correctly reflect that I talked to the company's President, not CEO.

John

Mr Boodaei,

I've read your post and I've sincerely to say this is one of the most confusing posts I've ever seen. You've written many things that just confuse your readers, trying to hide the truth.
You talk about a number of layers of security, some monitors that report and SILENTLY react DEPLOYING ADDITIONAL SELF-PROTECTION DEFENSES, technology that reports attacks to the bank.
For fuck sake, what the hell are you trying to say? Self protection defenses?? Customer ID and password have been logged and most likely they have been sent to a remote website! The video clearly shows that!
Even if banks react after a while, who cover the gap between data theft and reaction? In the meanwhile all users data have been uploaded remotely and attackers could have already stolen money. What additional self protection defenses?!? Where are they? The attack shown in the video succesfully logged all datas!

What? You'll update your software if an in-the-wild attack is reported? God, after an attack is detected to be in the wild, milions of dollars could have been already stolen.

What? "The fact that the tester had to look for ways to disable the service before being able to run malware proves that the solution works and adds real value"? What the hell, what are you trying to say? There is a way to bypass your software. This is THE topic.

You claim your software guarantee data security EVEN IF THE PC IS INFECTED. This is simply NOT TRUE. That video shows why this is not good concept.

It would really have been better if you had written a post saying: "Yes, that video shows an attack that succesfully bypassed our defenses. Indeed we can't guarantee security if a pc is infected. But we'll try to fix the vulnerability reported".

Instead, you're still claiming what you can't guarantee.

Great. Congratulations.

Gee, what an interesting blog. The entire industry peddles snake oil!!

What do you say to an anti virus vendor who's virus definition is only good until someone takes a run time packer to the sample?

Same virus is undetected again in 10 seconds and redistributed.

Now that sir is false security and snake oil.

I should point out to everyone reading this, almost all crimeware in the wild do not use hook based key loggers (shown in this video). Hook based keyloggers can commonly be found in off the shelf commercial spy software such as Ardamax and Spector.

There is a different method of keylogging occurring in the wild and this video proves absolutely nothing.
See: http://en.wikipedia.org/wiki/Form_Grabber

Trusteer's product is junk, it has always been. No one at Trusteer knows anything about true Crimeware and how it operates, therefore they will never be able to properly defend against it.

Financial institutions that are using Rapport will still see instances of Crimeware related fraud and it's only a matter of time before they see the statistics that support this.

John Viega should not have reported on the posted video in the first place however.

There is no published paper discussing how the hacker bypasses the local hooking function of Rapport. Therefore how can you report this as you lack creditable source information?

Please don't tell me you think a 10 year old's flash video is creditable?

The person who posted this video has Milw0rm at his disposal anytime he feels like enlightening us.

Joe


I bank with HSBC in the UK, and they have been pestering me to install Rapport for months (yes, pestering; I literally could not log in to online banking before expressly clicking one of the links either to install or not to install Rapport).

Mr Viega, thanks for providing the community with some much-needed dialogue about Rapport.

Mr Boodaei, thank you for describing the 'detect and react' strategy. I believe this probably acocunts for the severe performance issues I have repeatedly read about this afternoon?

I have been exchanging bank mails with HSBC to ask for specifics about the function of Rapport, information that it is becoming obvious they do not actually have. Rather than deliver even the most basic of technical descriptions, they just quote marketing jargon. Not good enough.

I've also asked them whether installation of the software is required, and I have a bank mail from them saying it is not. But I hadn't even thought about the possibility of a get-out clause for the banks, as I have seen speculation about elsewhere. My actual concern was: what would happen if I somehow gave Rapport the literal green light for a bogus site? The protection would be gone, right?

HSBC does not have an ill word to say about the product, no precautions or disclosures of its limitations, just (to paraphrase), 'You need this. Install it.'

That sort of thing always makes me suspicious. Instantly.

I bank with NatWest (also in the UK) and was similarly pestered into installing Rapport. The performance impact slowed my (somewhat outdated) PC to a crawl, so I started investigating if I would be better off without it.
A quick Google search turned up three kinds of sites mentioning Rapport: banks' (and Trusteer's) sites full of marketing messages saying that you absolutely must have this product but with no technical info above primary-school level, technical blogs about the sometimes very serious performance impact of running Rapport, and technical blogs about how Rapport does not do what the banks claim it does (this is not the only one to use the phrase "snake oil").
So I decided to uninstall it. I was greeted with a warning that my computer is infected by malware which would be reactivated if I uninstall Rapport. It gave no details of what kind of malware, but provided a link to a web page. I clicked on the link, hoping to learn what my computer was infected with, but still no details, just a warning that I shouldn't believe my AV software if it says the computer is clean. So I cancelled the uninstall and ran four different virus/malware scans (Avast, Malwarebytes, Adaware, Trend Micro Housecall) - they removed a few minor threats such as tracking cookies but that was all. Finally convinced that the PC is clean, and having found a quote from someone at Trusteer saying "we ASSUME your desktop is compromised" (my emphasis), I uninstalled Rapport. I still got the message saying my computer is infected, which I ignored. My computer now works again.
This seems to suggest that Trusteer are using scareware tactics to persuade people to use their software - it seems very unlikely to me that this message is based on any actual threat being detected (if it is then why won't they tell me what the treat is?) - more probably you always get this message when uninstalling. If this is the case it's another reason to distrust this company, and to be worried about the way they seem to have got every UK bank wrapped around their little finger.

Hey Mr Boodaie! Welcome to Africa! And Standard Bank, South Africa picks up the fallen Trusteer spear...

Don't worry, over here we just do what our bank says and are relieved to have any kind of AV. You give us hope, hosanna!

The best-kept secret in the fight against viruses and keyloggers is a company called HonorPC! They feature one-key recovery that leaves your documents, music, pictures, videos, and favorites intact! It works even if you have a problem that won’t allow Windows to start. I have done online banking on my HonorPC for almost three years and have never installed antivirus. I bought my HonorPC for $1,000, which included a 22” LG monitor and laser mouse. I recently got a Windows 7 upgrade from HonorPC and I’m very happy with it. Their web site is http://honorpc.com and they have their phone number right on the home page. You should check them out before they are bought out by a big computer company and banished from the face of the earth!

I've found this blog because my PC;s performance is being destroyed by Rapport, often running at 80%+ of CPU on an XP box. Switching Rapport off from "Services" in the msconfig utility still doesn't stop it running. A friend has had similar experince with Windows7 on an 8GB quad box, So even the best and latest machines can be badly affected, depnding on the other software being run.

Here's what two UK banks who make/recommend customers use Rapport say:

HSBC: "Rapport is a small in size and is designed not to impact the performance of your PC".
https://www.business.hsbc.co.uk/1/2/help-centre/rapport-overview-page

NatWest: have a FAQ "I think Rapport is slowing my computer down" suggesting a call with Rapport's support representative because "inevitably a few software combinations remain untested". Sorry I haven't got the time to run through every piece of software on my PC which may be clashing! Nor to wait for the fixes!!

Although there are reports of Barclays and others using Rapport, Barclays and Lloyds TSB at least have confirmed they do not.

Given banks'are ultra cautious about security, the other banks presumably either don't believe it is needed or have a more appropriate solution. Hopefully what they do use is less of an issue than Rapport.

Rapport can be switched off apparently per Nat West:
"To stop Rapport on a Windows operating system:
Click Start, select ‘All Programs’, then ‘Trusteer Rapport’, and finally ‘Stop Rapport’.
To stop Rapport on a Mac operating system:
Click System Preferences, select ‘Other’, then ‘Rapport’, and finally ‘Stop Rapport’." I;m just re-booting my PC to find out if it has worked, because it is still showing as running.

I'm not sure if NatWest or HSBC would treat customers any differently in the event of fraud if Rapport was switched off. Neither website says anything explicitly. But I wouldn't want to end up arguing over it if fraud were to happen.

So I will be advising NatWest and HSBC that I will be switching my accounts to the banks that don't use Rapport, I'm sure I won't be able to wait for any change, so will have to switch banks anyway....

News Topics

Recommended for You

Got a Question?