Slashdot Mirror
Bank Security Software EULA Allows Spying On Users
An anonymous reader writes Trusteer Rapport, a software package whose installation is promoted by several major banks as an anti-fraud tool, has recently been acquired by IBM and has an updated EULA. Among other things, the new EULA includes this gem: "In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction." Welcome to the future...
Does it? This could be the year of the Linux home banking if it does!
Security scanning software that looks at all of my files? How will I be violated next? /sarcasm
Seriously, these privacy alarmists are kooks. They have no idea how IT works.
There's a big difference between scanning files and collecting them.
We're working with our internal legal folks to force this clause out of the EULA for all of our customers.
Just letting you guys know that some of us do give a shit. Can't say which bank though.
If a bank/CD/whatever other crazy thing requires you to install software to use it, take your business elsewhere.
There's a big difference between scanning files and collecting them.
When they find a suspicious binary running and attacking other computers on the network, how do you propose to examine it without collecting it?
You are just proving my point that alarmists know nothing about how IT works.
Agreed, these so called kooks actually understand how IT works; that's why they are alarmist.
Yeah I trust IBM to only use the software to remotely collect *malicious* files from my system, I am sure IBM never receives confidential requests from the NSA or anything like that. *rolls eyes*
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
It wasn't alarmist when Rapport compromised the integrity of the computer I use to earn my living with a bad update. Boot from recovery disk, uninstall Rapport, revert to previous known good configuration, and the problem goes away. Let Rapport back on, computer immediately fails to boot again.
I told the bank in question that the software they asked me to install wasn't working, and now every time I log in to their business banking site, and I decline to use Rapport selecting the option that says it didn't work for me, they tell me that Rapport has been tested by them. So not only do they want me to install malware, but my bank is also incompetent at security. Great, now I'm really thrilled to be trusting them with my company's money!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I just read through the Bank of America Online Banking Service Agreement, and I don't see anything like this, nor is there any mention of IBM. Reading the Wikipedia page, it seems this is software used -inside- a bank.
A file on my home PC which I'm forced to install this software to access my work remotely, I'd rather they not examine it.
Perhaps they might ask me "Hey, our security scan detected this suspicious looking file on your machine; do you mind of we take a copy of it so our engineers can examine it?"
With that level of information, I can decide whether to let them have "stuxnet.exe" or "specialwifepics.zip".
I use a bank that likes to push this software. Everytime I log into the online banking you get an annoying "pop over" suggesting you install it, which I have to close each time. I've never installed it, and reading this very glad I didn't, I'm always suspicious of websites trying to push software as must have, even if it's banks doing it. My concern is banks moving towards making software like this mandatory, before they will allow you to log onto online banking. Go elswhere, well yes, for now, but if every bank insists on software like this? I've already heard banks can refuse to refund any fradulant transaction if they think you've not taken adequate protection. Would not installing the banks "recommended" software meen you haven't taken adequate protection? Yes I could go back to banking by phone (which is far less secure, of course) or in branches, but with more branches closing all the time, the latter probably won't be an option for much longer either.
I've been uninstalling the crap out of that program every single time a customer walks in with it installed because I didn't know what it was and I didn't like how invasive it appeared. It's good to know I was doing them a favor.
So don't keep your shemale porn and pirated video games on the computer you use for banking and then you'll have nothing to worry about.
time to create a script that downloads GIANT penis pics that shows this software and give it out freely
Then buy a work PC for home use.
Next problem?
deleting the extra space after periods so i can stay relevant, yeah.
from the company that provided the data processing automation for the Holocaust.
IBM - tracking your Jews and other undesirables since 1933 (R)
We have had to deal with Trusteer here at work. It is utter krap and will fubar normal Windows installs. Essentially the only way to get this to work is to dedicate a VM to it. We are lucky we only have to use it occasionally.
We play the game with the bravery of being out of range
No, it appears that YOU know nothing about IT.
Or more, likely, the shill is strong in this one.
It is a pretty normal and well understood process these days of requesting user permission for a specific upload of information to a vendor (for exmaple 'this program has crashed, can we please send the crash report back for analysis'
Them being allowed to scrape anything they damn well feel from your computer without any direct permission is, as anyone with a functioning brain knows, a HUGE step beyond that.
> shemale porn
And if he's really scared, he can just Bailey out of the agreement.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Yeah, don't use your general-purpose computer for multiple purposes, that's just crazy!
My bank often nags me to install Trusteer. I have done so on previous computers and it slows them to a crawl. Horrible software, and I have no idea if it even does anything useful. Now instead of installing it I use a different computer for banking (and not Windows), and just take care instead.
The problem is not technology. The problem is the lack of legal protection or extension of the bill of rights to your data on your own property.
To the guy suggesting we all run a virtual machine specifically to use online bank software. People shouldn't have to learn networking visualization because a clause buried in a EULA.
Check out this documentary: Terms and Conditions May Apply: http://www.imdb.com/title/tt20...
I work for satander and they will be buying this crap for millions just because is IBM's now.
What does IBM plan to do with the collected information? If malware is present, will IBM inform you of that fact, or simply record what type it is for their records? Will IBM remotely remove said malware and then expect payment from us for doing so? Hmmm.
Yeah I trust IBM to only use the software to remotely collect *malicious* files from my system
Hey everyone! I've found somebody that trusts IBM!
Congratulations, Sir. You have joined a very elite club whose number (for some unfathomable reason) continue to shrink every day.
That is not the only way that (some) banks are incompetent at security. Their 'secure' internet banking sites only support SSL3 & TLS1.0, they prefer RC4 ciphers and do not offer any ciphersuites using PFS.
humungous company!
Such automatic shrink wrap electronic contracts are illegal if used by dual citizens of the EU and/or Canada resident in the US, under the terms of the Data Treaties the US Senate signed.
Just saying.
-- Tigger warning: This post may contain tiggers! --
Luckily, those of us running businesses don't need to worry about this, because the regulators probably won't let banks assign liability for fraudulent use of our accounts to us if it was their own negligence or incompetence that resulted in any losses.
Oh, no, wait. That was for personal bank accounts used by private individuals. As a business, the situation is unlikely to be a happy one if anyone does compromise your accounts because of these kinds of obvious security problems and you lose money because of it.
I've actually met small business owners who refuse to use on-line banking to this day because of this one issue. Personally, my businesses treat on-line banking as a business risk, keep careful records as we do with anything, but refuse to use Rapport since it has been found to destabilise our systems.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I would be OK with this if the following was added:
"as Your Sponsoring Enterprise's data processor with your permission to use the Program remotely to collect any files or other information"
I'm actually surprised this got the green light from IBM Legal, IBM Sales and IBM Development for that product. This would NEVER fly with the product I work on. Most banks have executive sponsors in IBM (some VERY high up) and I have a feeling this will be fixed in less than a week. IBM is not stupid enough to risk alienating the market of a recent $1B acquisition. Looks like the Bluewashing of the acquisition is incomplete as this point ... poor folks for that product will probably catch hell for this as a result.
Posting as AC for obvious reasons.
It doesn't work that way.
Usually, the software developer requires that you accept the EULA in order to get the right to use the software. Does that mean that you accepted the EULA if you use the software? It doesn't.
It means that if you use the software, you _either_ accepted the EULA _or_ you committed an act of copyright infringement. However, IBM cannot know which one. Therefore, they cannot do things that would be illegal if you didn't accept the EULA, like accessing your files.
(Many EULAs contain terms that allow you only limited amount of copying. That's completely legal, because either you accept the EULA and accept that you cannot make unlimited copies, or you don't accept the EULA and cannot legally make any copies at all. This EULA is different).
How can they legally collect these files when users do not generally own the copyright nor the authorization to make copies of said files?
I think $1 billion fine per occurrence is reasonable
Why are so many companies infested with weasels that come up with things like this which they know are wrong and evil, that they only dare to do because they think that nobody will notice? How many weasels does your company employ?
Perhaps companies should make all employees undergo psychological testing to root out these pathological personality types and make sure their actions are monitored.
Yeah, don't use your general-purpose computer for multiple purposes, that's just crazy!
It is crazy. Stop doing that. Just stop.
I do all my banking (and brokerage etc) from an encrypted VM used only for that. Never cross the streams.
I figure my gaming box is infested with rootkits constantly at war with one another from game DRM. That's fine - only games go there.
I treat my general-purpose VM as suspicious, and if anything ever looks off I'll just re-clone it from the base image, but there's lots of malware these days that's damned hard to spot.
Other VMs are for short use for special purposes - banking, ripping, etc, and can be reverted to snapshots regularly.
Of course, all that's useless if you don't keep your VM software patched. VM escape exploits are quite rare, but there have been more than 0 of them!
Socialism: a lie told by totalitarians and believed by fools.
Does this ' Bank Security Software ' work on Microsoft Windows?
"Welcometo the future. A pity you are too late to stop it. No one can stop me now!"
Not everyone has this luxury, I understand, but surely 99% of the population can do without it?
How much convenience are most customers really getting over using in-bank kiosks and ATM machines in order to configure automated payments and the like.
Maybe it's just me, but I think banks being exposed to the Internet for what appears to be a small amount of convenience is just insane.
Then buy a work PC for home use.
Next problem?
That's not the right answer, the right answer is "Tell your employer to buy you a computer for work use at home." I don't mind using my home computer to do work, but not if my employer is going to mandate what software I run on it. If they are worried enough about my computer being a risk unless I run their security software, then they ought to be worried enough about my computer to want to manage the entire computer - both hardware and software... not just the security software.
It _has_ to be secure.
This software is remove on sight for me.
Of 10-20 customers a day... 2-3 have problems caused by Trusteer's 'aggressive' antivirus protection.
Most people dont know what it is or where it came from.
All of them are relieved their computer is not actually garbage, after its removed and everything works again.
But I cant complain too loudly, tech support is my business after all
That's not the right answer, the right answer is "Tell your employer to buy you a computer for work use at home."
That's an improvement, but in many cases a better answer will be "Don't work from home at all, and if your employer doesn't like it, find a better employer".
The way it's just taken for granted that a lot of staff will continue to work outside office hours is a damning indictment of employment culture in some places today. This is just like the debate over BYOD vs. employers providing a separate company phone, where it is often taken as axiomatic that everyone needs company stuff on a phone somewhere so their boss can hassle them out of hours. If you're explicitly on call, and being compensated accordingly, fair enough. Otherwise...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Something like what you describe should be the norm, and modern operating systems should enforce strict scoping rules for different applications and data. It shouldn't even be possible for a lot of these DRM or anti-cheat systems to work, because they fundamentally rely on doing shady things that no application should ever be allowed to do by the host OS.
Sadly, no mainstream desktop OS defaults to working this way, which makes your perfectly logical response also an unrealistic one for the vast majority of users, who lack your technical skills.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I work with teams in the U.S. and Canada, Mexico, Britain, Australia, India, and the Philippines. I have no normal working hours any more.
But my employer does not require me to do 8-5 and will other hours. An 11pm call either leaves me staying the next day at 10am, or
taking the 2nd day off.
deleting the extra space after periods so i can stay relevant, yeah.
Rapport is snake oil, always has been, plenty of netsec talks on youtube that show you, the only reason banks want you to use it is because they spent a shitload of cash for it, go look at the trusteers staff, the entire board (12+ people) was 50yo ex-sales guys, and a single tech guy with no history in the sec community, the banks got defrauded by men in suits instead of jeans :D
malware writers laugh at rapport, it can be killed and removed without breaking a sweat
Oh cute. You think a VM is going to protect you from the host.
I treat my general-purpose VM as suspicious, and if anything ever looks off I'll just re-clone it from the base image, but there's lots of malware these days that's damned hard to spot.
So... you're another satisfied Microsoft customer?
Who installs software because their bank recommends it? And does this yet convince people of why subscription software models are awful? Wait until you don't even get to choose whether to have this software scouring your files.
Sounds like the window program from the magic products moviemaker music maker and so on. They actually tell you in their terms and conditions that they collect personal information and share it with law-enforcement on request. You make a direct connection with their U.S. counterparts every time you use the Internet with any of their products installed. Apart from the pirated versions it as been stripped out. The corporations are going crazy they all want to spy.... but none of them want to be spied on.
You know, there are other banks and even credit unions out there. Just sayn'
Oh cute. You think a VM is going to protect you from the host.
I think he runs everything in a VM -- different VM's for different tasks, the only thing the host does is run the VM's.
If this is the case, this does give him good protection from malware - even if the VM used for downloading pirated software gets infected by malware, it's going to be hard (but not impossible) for it to infect the host then then jump to his online banking VM.
The host does nothing. I'm sure the NSA could hack it remotely, but none of the normal consumer attack vectors apply.
Socialism: a lie told by totalitarians and believed by fools.
that they try to find infection on their own computers/honey pot or whatever? ..how do you propose that they decide if the suspicious file hasn't gone and encrypted itself inside your family photos without them downloading them just for kicks? or into your big businesses yearly finance report, that the random tech guy over at rapport can take a glance at without oversight?
world was created 5 seconds before this post as it is.
There exists the possibility that someone knows how IT works and yet still does not approve.
And we're currently exploring our options for a move, due in no small part to the poor on-line banking at the current place. Sadly, it turns out that many of the alternatives are also bad one way or another, and in almost every case it takes a crazy amount of effort even to arrange a sensible discussion about possibly moving new business to a bank. Since we're talking about small businesses here, so the same people who need to deal with the banks also need to do real work that brings in revenues and pays everyone's salaries, it's a painfully slow process.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I cannot believe that can hold any water. An EULA should describe how software is used. If they add paragraphs which have nothing to do with running their software, that feels like the wrong place. Theft of information is theft, no matter what the fine print of something nobody reads is saying. That bank better hires some good lawyers, otherwise common sense may prevail and the bank be accused of cybercrime the millisecond they touch their customers computers. According to their logic, those customers then have a right to fight back...
They better be warned: in my home directory is a file which clearly states that any file downloaded from that directory comes with a 100000$ fee...
> I've been uninstalling the crap out of that program every single time a customer walks in with it installed because I didn't know what it was
So all of these customers chose to install something, and without knowing what it was, you just took it upon yourself yo remove it. All this time you've been "uninstalling the crap out of it every single time", you didn't take 10 seconds to check Google and find out what it is?
You might be very, very bad at your job.
Why are banks pushing this crap in the first place? I can't see entities like Bank of America spending their own money on security stuff unless its going to cost them more money not to.
I get prompted to download this regularly by my bank. However I use Linux, and they don't produce a Linux version. No idea if they plan to do so either.
Strangely, I'm not that concerned. I would download and use if I used Windows though, even with the new EULA.
You never know what is enough unless you know what is more than enough. - Blake
He is talking about his gaming PC, you can't really run modern games inside a VM and be happy about it.
I wonder who was the genius who consulted the banks on this one, but my recommendation is to fire him.
Out of a cannon.
From the top of your HQ building.
I do consultant work in the banking area. And the VERY LAST thing you need in this time and age is your customer to lose trust in you. It's the ONLY friggin' thing you still have, for crying out loud! And it's not like you're swimming in it in the first place, do your research (we did), the average customer places little trust in you. The only group of people that beats you in terms of untrustworthiness is politicians and other criminals.
The other end of the spectrum is God. Yes, people place more faith in their imaginary friend these days. THAT's how far we got.
Now, I know that you're not after their personal photos and their game cracks. Because you don't care about that shit. And yes, I have had that discussion with various banks and various security companies myself. But, and this is the critical part here, you HAVE TO keep your customer in the illusion that HE is in control. That HE gets to say if and whether you get any kind of data from him. That is CRITICAL!
This will create a huge stink now. When all you had to do it is add a simple dialogue saying "Oh, there's something fishy here, we found this file and it looks like malware. Your security and that of your money is our primary concern, and we have this partner here who is our security expert, they'd look at it FOR FREE, we foot the bill, since our business has always been to make banking a safe and secure biz. You ok with sending us that file?"
9 out of 10 people click yes on this anyway (run the phrase through your PR goons a few times, add a little fear mongering and it's 99 out of 100). Screw the 1% error margin, you get what you want and instead of now being seen as yet another power hungry, data grabbing leech you'd be the saint.
Fuck, how did you drop the ball on marketing? That's the ONLY thing you're still good at!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Rapport is clashing with other malware on your machine.
So, assuming those VMs run Windows, you're fine with buying a new copy of the OS for each of them just to increase security. By now, having separate machines starts to look appealing.
It is crazy. Stop doing that. Just stop.
Indeed, what you're describing is quite insane. Sadly, for many purposes it seems to be a better solution than the default OS option, crazy cost and resource scaling aside. Still, needing to resort to such insanity must stop.
I tried 'Rapport' a year or so ago, and it managed to blue screen my Windows 7 PC, for the first time ever. I immediately uninstalled it and would never use it again.
if the VM used for downloading pirated software gets infected by malware, it's going to be hard (but not impossible) for it to infect the host then then jump to his online banking VM.
Hard? So many viruses and exploits have a habit of trying to spread across the network. Across the network may very well be into another VM - if he's playing a networked game while waiting for some slow bank transaction he had time for while the cd ripping is going on in the background. All in separate VMs, but do the host run a good firewall that separates them all? Is the host system itself protected against attacks from VMs or the outside network?
VMs are not security. The few VM exploits is just another (small) attack vector - on top of the existing network attack vectors. And if the host is compromised, all VMs can be compromised at will. Even VMs not running at the moment can be compromised by putting viruses/backdoors into the image files. Revert to snapshot? Compromising the snapshots too is easy when I have the host.
The VM solution is nice for protection against company scanner software too. The scan their VM only - takes less time and won't see what he's up to with other VMs . . .
I mean it's about your online banking, yes?
Remember to downmod this post
Oh, I checked. The website made it sound like it was some sort of antivirus program that no one had ever heard of. When asked about it, some customers didn't even know what it was or how it had gotten on their computers. It installed a filter driver for all network adapters and at least two machines weren't getting online at all because of it malfunctioning. All of the customers already had an antivirus solution installed. Rapport started popping up on computers in the era of fake security software.
You should probably get some detail before jumping to conclusions.
Mandiants managed defense does this as well. As did the Incident Response actions that any responders do when they try to understand *what* was xfilled. So, get over it. IBM is just limiting liability.
This!
And while we're at it, since the bank is oh so terrified of teh horroz on my computer i'll ask them to provide one for my banking needs. They can scan and collect any files they want from that. My own machine? Fuck no! I'll take my savings and place them in a bank that won'[t ask me to do this shit.
For now. Until they find a Filipino who does not require a 2nd day off.
Sounds like two PCs, a gaming box, and a general purpose box with the VMs for separation.
>
>I figure my gaming box is infested with rootkits constantly at war with one another from game DRM. That's fine - only games go there.
>
This 2011 Youtube video shows how to break this shitty software in about 5 minutes: https://www.youtube.com/watch?v=EimZQgt7WPg
Actually the vulnerability of the files has to be verified in some way. If you don't copy executable files you would work based on signatures and heuristics. If you copy suspicious executables that you have never seen before you can run them in a sandbox and analyze behaviour. For detection the latter would offer far better posibilities, but would not require such blanket statements in the eula and could be opt-in.
> Seriously, these privacy alarmists are kooks. They have no idea how IT works.
Don't tell me. I manage a small democratic Republic but people call me tyrant -- I think they're joking.
But my duties border on what could be called "tyranny", only I'm of the benevolent kind. Do you how hard is my life? Most people simply don't know how tyranny works and they complain, complain, complain... day in, day out.
Don't they know it's for their own good? Alas, your example is quite apt: when I started searching people's files with my National IT Department, everybody complained. But now, after things settled down and the worse offenders were caught, everybody seems to be having a happy, Eloi-like life.
---
On a serious note, though, my bank just sent me a message about this new security application. My first impression is that they don't have a Linux version, which is bad (and good!). Now, of course, the application won't be installed (I can change banks if I need).
"I want them to search only the bad guys' equipment -- not mine." -- try to understand that paradox, it will enlighten you...
Okay, so the reason you removed it wasn't "because I didn't know what it was", you had far better reason than that. Cool.
Given the precautions I take and the checks I made at the time, including scanning the machine in question for malware using an independent, known good boot disc, that seems unlikely. It would require a firmware-level infection or a stealthy infection that could hide from multiple malware scanners, either way exhibiting no apparent symptoms before or since, to cause the clash you're suggesting.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
No, until they find a Filipino who can remember how things worked before the current issue was raised. That's somehow become very difficult. Then I move over to the Dark Side and get more pay for interfacing with them. But not until.
Trust me, if the kill off our team and let the Filipinos do it. The ticket count will triple. They will still need someone to consolidate, properly categorize, and track. They were never able to do so with the US team for 14 years. I'm not yet quaking in my boots that they will get the offshore team up tothat challenge in even a quarter of the time. But they will try.
deleting the extra space after periods so i can stay relevant, yeah.
I remote in when I work from home. Unfortunately, this isn't officially supported from a Fedora computer, but nobody at work cares what sort of files I've got on my home computers. (Downloading company files to my computer to work on them is strongly discouraged, as the company likes to keep tight control of their stuff.)
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
There's a financial website I have to use (for reasons I won't discuss here) that requires passwords to be 6-8 characters, alphanumerics only, and beginning with a letter. Talk about security...;.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So, assuming those VMs run Windows, you're fine with buying a new copy of the OS for each of them just to increase security.
You're cute - I like you.
Socialism: a lie told by totalitarians and believed by fools.
Lots of apparent confusion here as to what Trusteer is and isn't.
Trusteer is sold as a "holistic" solution. I don't have much experience with what they do in the browser, but it's also built into mobile banking apps. It's an anti-fraud measure (which isn't inherently bad, we all like to keep our money), and as such it's always used in a customer-facing way, not inside a bank. Most customers using mobile banking apps will probably never see a Trusteer EULA, as this would be covered by the bank's own legal boilerplate. And nobody ever reads these...
Not as bad as you've been shown to be as a liar and wannabe like you raymorris http://yro.slashdot.org/commen...