I suspect that end users are not the only victims. I see a lot of little banks on the list, and hardly any of significant size.

There's a simple reason. When you "uninstall" it, why does it leave ANYTHING? After all, if you are getting rid of that programme you will want EVERYTHING deleted, you want no reference to the programme what you are getting rid of.

If you want to get rid of stuff use CC Cleaner and clean the registry, and the rest of the computer, and you see most times what is hanging around IF, and I do mean IF, you really know the base words you are looking for.

Expert says that it is ‘almost inevitable’ crooks will take advantage of ‘flaw’

Millions of online banking customers are at risk of fraud because of a “fundamental” flaw in key security software, The Times has learnt.

Major British banks, including HSBC and Santander, strongly advise customers to install specialist software called Trusteer Rapport in order to protect themselves from fraudsters when logging into banking websites.

At least seven million customers have installed the software, which promises to verify that a bank’s website is genuine and to block keyloggers and other malicious software that is used by criminals to steal users’ banking details.
NatWest, the Royal Bank of Scotland, HSBC, Santander, first direct, The Co-operative Bank and Nationwide all actively promote Trusteer to their customers and offer it for no charge. Some force users to click through a screen recommending that they download the software before they can log into their online banking account.

But Times Money has seen evidence that the software’s keylogger protections — designed to prevent fraudsters recording users’ login and credit card details — can be hacked by computer security specialists with “minimal effort” in less than a minute, and that the program signposts how to do this in the names it gives to various functions.

Criminals can turn off keystroke encryption or can “listen in” as the information passes through Trusteer, in both cases without the program being aware of it, allowing them to steal banking login names and passwords and other financial details.

Neil Kettle, a computer security researcher who discovered the problem, says that it was “almost inevitable” that criminals would start exploiting the weakness, particularly because the software allows them to identify online banking customers.

Mr Kettle, who has a PhD in theoretical computer science, and has previously exposed flaws in Apple Macs, says: “I have shown that getting around the keylogger protection is trivial for those with hacking knowledge. In fact, Trusteer give you the means in their own software to decrypt the keys.” Customers who use it are “effectively putting a big target on their back”, he adds.

“If you put in a check that Trusteer is there, 99 per cent of times you know that machine is used for accessing online banking.”

Rik Ferguson, a web security analyst at Trend Micro who has seen the code, explains: “It is designed to hook in to the internal interfaces that relay keystrokes, and so by doing that can capture what you type into the computer.”

Information such as a customer’s banking login or credit card details could then be relayed back to a fraudster making use of this flaw.

Mr Ferguson says that this “undermines one of Trusteer’s key claims”, but adds that consumers should be wary of relying on a single piece of security software anyway.

“A layered approach of security is the right approach. A machine has to be compromised in the first instance to enable this code to run on it, so you need to have something to stop you visiting known malicious websites.”
In order to be used to subvert Trusteer, the code must be installed and run on a victim’s computer. This can be done without the victim’s knowledge by using a Trojan, such as those that secretly download the software when a person uses peer-to-peer websites or is tricked into clicking on a link in an e-mail.

Mr Kettle believes that it is “almost inevitable” that fraudsters will exploit the design flaw he has highlighted, though he is not aware of any malware currently exploiting the weakness.

“Knowing it’s so monumentally simple to get round the keylogger protection in the way that I did, it’s hard to believe that malware developers aren’t smart enough to figure it out,” he says.

This view is shared by Professor Ross Anderson, one of Britain’s leading card fraud experts, who says that it is only “a matter of time”.

“In our experience if something can be exploited it will be. There are lots of greedy people out there in places like Russia and Brazil and so on, where law enforcement is corrupt or nonexistent,” he says.

In a written statement, Trusteer said that it had managed to fix the flaw by ensuring that part of the program alerted the software when someone made an unauthorised attempt to access the driver. A spokesmen added: “Existing customers do not need to take any action, as the update is automatic. Trusteer is constantly working with security researchers to improve its products,” it stated.

The company told Times Money that the patch to fix the problem would be rolled out to customers at the time of the next regular update in about two weeks However, Mr Kettle questioned whether this would fix the flaw because “there is no operating system which allows you to lock down access to their kernel driver” in the way that Trusteer claims. Even if this were possible, he said that it would be easy for a fraudster to incorporate Trusteer’s own code into malware.

Trusteer was unable to provide a copy of the update that it said had fixed the problem in time for this article but a spokesman said: “Trusteer Rapport has the ability to capture, from within the operating system kernel, any process that accesses any of its objects (or other objects such as the browser). At this point it is capable of inspecting the complete process code. If it’s not a Trusteer code then Rapport can block it, kill it, or remove it.”

Trusteer Rapport is widely used by banks in the United States, Canada, South Africa and Ireland as well as the UK, and the software company’s website claims to have had 24 million worldwide downloads.

A typical notice — in this case on the Santander website — reads: “We strongly recommend you download the free Rapport security software to help guard yourself against internet banking identity theft and fraud.”

RBS states that more than four million customers have downloaded the software, and a spokesman for Santander said that two million out of its 3.5 million online banking customers use it. It has previously been reported that at least one million HSBC customers have downloaded it in the UK.

A spokesman for HSBC said that it believed the software to be secure and that it had “proved very successful in protecting our customers”.

Times Money readers who use the software are advised not to uninstall it because it provides protection against other threats, but they should be extra vigilant.

Doriena Koldenhof, of Financial Fraud Action UK, says that her advice would be that “if your bank offers it, it’s important to use it just to add an extra level of security”. She adds that it offers protection against other types of fraud, such as verifying that a customer was using the bank’s genuine website, thereby preventing phishing attacks.

Many banks issue card readers that require users to have their credit or debit card present and to enter their pin before making payments from their online account.

This is not affected by the flaw in Trusteer Rapport, but the card reader does not prevent “card-not-present fraud”, such as using stolen details to shop online. According to Which?, card fraud costs the UK £1.2 million a day, and card-not-present fraud is responsible for the most losses.

If an unauthorised payment is taken from a customer’s account, the bank must refund the money when it is notified. It can refuse to refund money only if it can prove that the customer authorised the payment, or deliberately, or with gross negligence, failed to protect the card details.

Victims of fraud on debit and credit cards can be liable for no more than £50 unless they have been grossly negligent — for example, by writing down the pin and leaving it near the card.

But Professor Anderson says that in these cases banks have unfairly blamed customers who have been the victims of fraud. He says: “What the banks routinely do is simply claim that you must have been negligent. If you manage your money online, then what happens if there’s a dispute is the bank will say ‘Sorry, your password was used, it’s your fault’.”

How to stay safe online
• Be alert to phishing e-mails that purport to come from your bank and ask for your login details and password.

• Never click on an attachment in a spam e-mail, and use a filter to avoid getting junk messages in your inbox.

• Think about opening a free online e-mail account to use for online shopping and site registration. Give out your personal e-mail address only to friends.

• Always type your bank’s web address into your browser rather than going through an e-mail link.

• Look for the padlock or unbroken key in the bottom of your browser window to check you are using a secure website.

• Use anti-virus software and a personal firewall on your computer and make sure you keep it up to date.

• Consider using anti-spyware software and always install the latest security updates for your browser and operating system.