Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bank Security Software EULA Allows Spying On Users

Posted by timothy on from the even-for-a-eula-that's-bad dept.

An anonymous reader writes Trusteer Rapport, a software package whose installation is promoted by several major banks as an anti-fraud tool, has recently been acquired by IBM and has an updated EULA. Among other things, the new EULA includes this gem: "In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction." Welcome to the future...

5 of 135 comments (clear)

  1. Not required - yes by joncombe · · Score: 4, Interesting

    I use a bank that likes to push this software. Everytime I log into the online banking you get an annoying "pop over" suggesting you install it, which I have to close each time. I've never installed it, and reading this very glad I didn't, I'm always suspicious of websites trying to push software as must have, even if it's banks doing it. My concern is banks moving towards making software like this mandatory, before they will allow you to log onto online banking. Go elswhere, well yes, for now, but if every bank insists on software like this? I've already heard banks can refuse to refund any fradulant transaction if they think you've not taken adequate protection. Would not installing the banks "recommended" software meen you haven't taken adequate protection? Yes I could go back to banking by phone (which is far less secure, of course) or in branches, but with more branches closing all the time, the latter probably won't be an option for much longer either.

    1. Re:Not required - yes by apraetor · · Score: 3, Interesting

      Nail on the head. The recent trend towards use of debit cards attached to checking accounts is worrying; if used fraudulently you can be liable to $500 or more. On the other hand, a traditional credit card comes with a $50 max liability if the card is lost/stolen, and if the card numbers are stolen (but not the card) then you have $0 liability. I wouldn't be surprised to find out that the shift toward debit cards is supported wholeheartedly by the banks wanting to reduce their losses to theft -- they give you a nice shiny debit card with a credit card company logo as proof of trustworthiness and ease-of-use, and never mention your increased exposure.

  2. Re:How crazy by Anonymous+Brave+Guy · · Score: 3, Interesting

    Luckily, those of us running businesses don't need to worry about this, because the regulators probably won't let banks assign liability for fraudulent use of our accounts to us if it was their own negligence or incompetence that resulted in any losses.

    Oh, no, wait. That was for personal bank accounts used by private individuals. As a business, the situation is unlikely to be a happy one if anyone does compromise your accounts because of these kinds of obvious security problems and you lose money because of it.

    I've actually met small business owners who refuse to use on-line banking to this day because of this one issue. Personally, my businesses treat on-line banking as a business risk, keep careful records as we do with anything, but refuse to use Rapport since it has been found to destabilise our systems.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  3. Failure in EULA by gnasher719 · · Score: 3, Interesting

    It doesn't work that way.

    Usually, the software developer requires that you accept the EULA in order to get the right to use the software. Does that mean that you accepted the EULA if you use the software? It doesn't.

    It means that if you use the software, you _either_ accepted the EULA _or_ you committed an act of copyright infringement. However, IBM cannot know which one. Therefore, they cannot do things that would be illegal if you didn't accept the EULA, like accessing your files.

    (Many EULAs contain terms that allow you only limited amount of copying. That's completely legal, because either you accept the EULA and accept that you cannot make unlimited copies, or you don't accept the EULA and cannot legally make any copies at all. This EULA is different).

  4. Re:How crazy by lgw · · Score: 3, Interesting

    Yeah, don't use your general-purpose computer for multiple purposes, that's just crazy!

    It is crazy. Stop doing that. Just stop.

    I do all my banking (and brokerage etc) from an encrypted VM used only for that. Never cross the streams.

    I figure my gaming box is infested with rootkits constantly at war with one another from game DRM. That's fine - only games go there.

    I treat my general-purpose VM as suspicious, and if anything ever looks off I'll just re-clone it from the base image, but there's lots of malware these days that's damned hard to spot.

    Other VMs are for short use for special purposes - banking, ripping, etc, and can be reverted to snapshots regularly.

    Of course, all that's useless if you don't keep your VM software patched. VM escape exploits are quite rare, but there have been more than 0 of them!

    --
    Socialism: a lie told by totalitarians and believed by fools.