HSBC locks browsers with anti-malware filter
Tames browser hijacks.
By John E Dunn | Techworld | Published: 15:29, 23 February 2010
HSBC has started nudging its online bank customers to download a free security app it reckons can protect them from the predations of banking Trojans, phishing, and keyloggers.
The application in question is actually Trusteer's Rapport browser plug-in, which protects a user's the browsing sessions while visiting specific websites. The plug-in embedded its own default selection of banking institutions (including HSBC and Alliance and Leicester in the UK), but the user can add additional ones as they choose, although this limits some security features.
When visiting one of these sites, Rapport blocks any attempt to take control of the session by malware, which could include man-in-the browser, keylogging and screen capture, session hijacking, and DNS redirection hijacks.
Related Articles on Techworld
Other invisible layers of protection include secure DNS via Trusteer's site - a block on redirection attacks - and a secure internal store for all data worked on during an online banking session. Bank IP addresses are verified and communication to and from the bank site is encrypted, a feature Trusteer points out is also useful when using open public Wi-Fi hotspots. Users can monitor and configure the app using a green (on) or grey (off) icon which installs itself on the browser toolbar.
"Download rates have surpassed our most optimistic expectations," said HSBC's digital security manager, Nick Staib. "Rapport is software that I use myself and I am happy recommending to friends."
The app allows for some nice features such as receiving a weekly report on different types of security and browsing events, and there is also an optional feature to allow Trusteer to remotely collect data on any attacks encountered.
It is worth noting that any bank or site not embedded within the app will face some limits on the security features it can access. Rapport does not support full traffic encryption for added sites (only for passwords on these sites), screen grabbing protection will not work, and fraud and transaction tracking, which requires bank involvement, is obviously turned off.
Rapport is really the thin edge of a slowly growing movement, that of whitelisting. The principle behind this is that a user does not know which sites are malevolent but does know the few sites that are not. Focussing on securing access to these is the conceptual strength of its design.
Unlike some past attempts at securing browsers through plug-ins, rapport is also pleasingly low-key. Installation happens in seconds, requires no browser reboot, and seems to consume almost no memory. Turning the app off involves entering a CAPTCHA.
Supported browsers include Microsoft's IE, Mozilla's Firefox and Google's Chrome, and works on Windows XP, Vista and 7, as well as Apple OS X Tiger. The application is free as long as the number of protected websites (including those already embedded) does not exceed 100.
Anyone not downloading the app through a supported partner should visit the Trusteer website.