Slashdot Mirror
Bank Security Software EULA Allows Spying On Users
An anonymous reader writes Trusteer Rapport, a software package whose installation is promoted by several major banks as an anti-fraud tool, has recently been acquired by IBM and has an updated EULA. Among other things, the new EULA includes this gem: "In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction." Welcome to the future...
Security scanning software that looks at all of my files? How will I be violated next? /sarcasm
Seriously, these privacy alarmists are kooks. They have no idea how IT works.
There's a big difference between scanning files and collecting them.
We're working with our internal legal folks to force this clause out of the EULA for all of our customers.
Just letting you guys know that some of us do give a shit. Can't say which bank though.
If a bank/CD/whatever other crazy thing requires you to install software to use it, take your business elsewhere.
Agreed, these so called kooks actually understand how IT works; that's why they are alarmist.
Yeah I trust IBM to only use the software to remotely collect *malicious* files from my system, I am sure IBM never receives confidential requests from the NSA or anything like that. *rolls eyes*
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
It wasn't alarmist when Rapport compromised the integrity of the computer I use to earn my living with a bad update. Boot from recovery disk, uninstall Rapport, revert to previous known good configuration, and the problem goes away. Let Rapport back on, computer immediately fails to boot again.
I told the bank in question that the software they asked me to install wasn't working, and now every time I log in to their business banking site, and I decline to use Rapport selecting the option that says it didn't work for me, they tell me that Rapport has been tested by them. So not only do they want me to install malware, but my bank is also incompetent at security. Great, now I'm really thrilled to be trusting them with my company's money!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I use a bank that likes to push this software. Everytime I log into the online banking you get an annoying "pop over" suggesting you install it, which I have to close each time. I've never installed it, and reading this very glad I didn't, I'm always suspicious of websites trying to push software as must have, even if it's banks doing it. My concern is banks moving towards making software like this mandatory, before they will allow you to log onto online banking. Go elswhere, well yes, for now, but if every bank insists on software like this? I've already heard banks can refuse to refund any fradulant transaction if they think you've not taken adequate protection. Would not installing the banks "recommended" software meen you haven't taken adequate protection? Yes I could go back to banking by phone (which is far less secure, of course) or in branches, but with more branches closing all the time, the latter probably won't be an option for much longer either.
Yes BOA pushes this:
https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/trusteer-rapport.go
Then buy a work PC for home use.
Next problem?
deleting the extra space after periods so i can stay relevant, yeah.
from the company that provided the data processing automation for the Holocaust.
IBM - tracking your Jews and other undesirables since 1933 (R)
We have had to deal with Trusteer here at work. It is utter krap and will fubar normal Windows installs. Essentially the only way to get this to work is to dedicate a VM to it. We are lucky we only have to use it occasionally.
We play the game with the bravery of being out of range
No, it appears that YOU know nothing about IT.
Or more, likely, the shill is strong in this one.
It is a pretty normal and well understood process these days of requesting user permission for a specific upload of information to a vendor (for exmaple 'this program has crashed, can we please send the crash report back for analysis'
Them being allowed to scrape anything they damn well feel from your computer without any direct permission is, as anyone with a functioning brain knows, a HUGE step beyond that.
Yeah I trust IBM to only use the software to remotely collect *malicious* files from my system
Hey everyone! I've found somebody that trusts IBM!
Congratulations, Sir. You have joined a very elite club whose number (for some unfathomable reason) continue to shrink every day.
That is not the only way that (some) banks are incompetent at security. Their 'secure' internet banking sites only support SSL3 & TLS1.0, they prefer RC4 ciphers and do not offer any ciphersuites using PFS.
Luckily, those of us running businesses don't need to worry about this, because the regulators probably won't let banks assign liability for fraudulent use of our accounts to us if it was their own negligence or incompetence that resulted in any losses.
Oh, no, wait. That was for personal bank accounts used by private individuals. As a business, the situation is unlikely to be a happy one if anyone does compromise your accounts because of these kinds of obvious security problems and you lose money because of it.
I've actually met small business owners who refuse to use on-line banking to this day because of this one issue. Personally, my businesses treat on-line banking as a business risk, keep careful records as we do with anything, but refuse to use Rapport since it has been found to destabilise our systems.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It doesn't work that way.
Usually, the software developer requires that you accept the EULA in order to get the right to use the software. Does that mean that you accepted the EULA if you use the software? It doesn't.
It means that if you use the software, you _either_ accepted the EULA _or_ you committed an act of copyright infringement. However, IBM cannot know which one. Therefore, they cannot do things that would be illegal if you didn't accept the EULA, like accessing your files.
(Many EULAs contain terms that allow you only limited amount of copying. That's completely legal, because either you accept the EULA and accept that you cannot make unlimited copies, or you don't accept the EULA and cannot legally make any copies at all. This EULA is different).
Yeah, don't use your general-purpose computer for multiple purposes, that's just crazy!
It is crazy. Stop doing that. Just stop.
I do all my banking (and brokerage etc) from an encrypted VM used only for that. Never cross the streams.
I figure my gaming box is infested with rootkits constantly at war with one another from game DRM. That's fine - only games go there.
I treat my general-purpose VM as suspicious, and if anything ever looks off I'll just re-clone it from the base image, but there's lots of malware these days that's damned hard to spot.
Other VMs are for short use for special purposes - banking, ripping, etc, and can be reverted to snapshots regularly.
Of course, all that's useless if you don't keep your VM software patched. VM escape exploits are quite rare, but there have been more than 0 of them!
Socialism: a lie told by totalitarians and believed by fools.
That's not the right answer, the right answer is "Tell your employer to buy you a computer for work use at home."
That's an improvement, but in many cases a better answer will be "Don't work from home at all, and if your employer doesn't like it, find a better employer".
The way it's just taken for granted that a lot of staff will continue to work outside office hours is a damning indictment of employment culture in some places today. This is just like the debate over BYOD vs. employers providing a separate company phone, where it is often taken as axiomatic that everyone needs company stuff on a phone somewhere so their boss can hassle them out of hours. If you're explicitly on call, and being compensated accordingly, fair enough. Otherwise...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I work with teams in the U.S. and Canada, Mexico, Britain, Australia, India, and the Philippines. I have no normal working hours any more.
But my employer does not require me to do 8-5 and will other hours. An 11pm call either leaves me staying the next day at 10am, or
taking the 2nd day off.
deleting the extra space after periods so i can stay relevant, yeah.
Oh cute. You think a VM is going to protect you from the host.
I think he runs everything in a VM -- different VM's for different tasks, the only thing the host does is run the VM's.
If this is the case, this does give him good protection from malware - even if the VM used for downloading pirated software gets infected by malware, it's going to be hard (but not impossible) for it to infect the host then then jump to his online banking VM.
There exists the possibility that someone knows how IT works and yet still does not approve.
I wonder who was the genius who consulted the banks on this one, but my recommendation is to fire him.
Out of a cannon.
From the top of your HQ building.
I do consultant work in the banking area. And the VERY LAST thing you need in this time and age is your customer to lose trust in you. It's the ONLY friggin' thing you still have, for crying out loud! And it's not like you're swimming in it in the first place, do your research (we did), the average customer places little trust in you. The only group of people that beats you in terms of untrustworthiness is politicians and other criminals.
The other end of the spectrum is God. Yes, people place more faith in their imaginary friend these days. THAT's how far we got.
Now, I know that you're not after their personal photos and their game cracks. Because you don't care about that shit. And yes, I have had that discussion with various banks and various security companies myself. But, and this is the critical part here, you HAVE TO keep your customer in the illusion that HE is in control. That HE gets to say if and whether you get any kind of data from him. That is CRITICAL!
This will create a huge stink now. When all you had to do it is add a simple dialogue saying "Oh, there's something fishy here, we found this file and it looks like malware. Your security and that of your money is our primary concern, and we have this partner here who is our security expert, they'd look at it FOR FREE, we foot the bill, since our business has always been to make banking a safe and secure biz. You ok with sending us that file?"
9 out of 10 people click yes on this anyway (run the phrase through your PR goons a few times, add a little fear mongering and it's 99 out of 100). Screw the 1% error margin, you get what you want and instead of now being seen as yet another power hungry, data grabbing leech you'd be the saint.
Fuck, how did you drop the ball on marketing? That's the ONLY thing you're still good at!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Of course it works with XP! XP has by some margin the highest level of compatibility with malware.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Oh, I checked. The website made it sound like it was some sort of antivirus program that no one had ever heard of. When asked about it, some customers didn't even know what it was or how it had gotten on their computers. It installed a filter driver for all network adapters and at least two machines weren't getting online at all because of it malfunctioning. All of the customers already had an antivirus solution installed. Rapport started popping up on computers in the era of fake security software.
You should probably get some detail before jumping to conclusions.