Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy IBM

Bank Security Software EULA Allows Spying On Users 135

An anonymous reader writes Trusteer Rapport, a software package whose installation is promoted by several major banks as an anti-fraud tool, has recently been acquired by IBM and has an updated EULA. Among other things, the new EULA includes this gem: "In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction." Welcome to the future...
This discussion has been archived. No new comments can be posted.

Bank Security Software EULA Allows Spying On Users

Comments Filter:
  • by Anonymous Coward on Thursday December 11, 2014 @07:12PM (#48577375)
    We're working with our internal legal folks to force this clause out of the EULA for all of our customers.

    Just letting you guys know that some of us do give a shit. Can't say which bank though.
    • Good for you. But will it change how the software works in any way?

      • by markdavis ( 642305 ) on Thursday December 11, 2014 @08:47PM (#48578085)

        It certainly won't change the fact that we can't run it on Linux and it is a pain in the ass under any platform.

        Trusteer Rapport is a HORRIBLE idea and many businesses are being FORCED to deal with it because it is essentially mandatory for many banks (looking at YOU, Suntrust).

        It is a totally unacceptable "solution" from an I.T. department perspective. And it is also unnecessary for many situations, if they just allow us some additional common-sense controls (like limiting access to just certain IP addresses, or using hardware token devices).

    • We're working with our internal legal folks to force this clause out of the EULA for all of our customers. Just letting you guys know that some of us do give a shit. Can't say which bank though.

      Very cool! Good on you guys. I'm glad that not everyone is just taking this new clause lying down.

    • by hazeii ( 5702 )

      This software (peddled by my bank for years) claims to protect against keyboard intercepts - on Windows.

      Snake oil of the first order.
    • I think that's wise, since I can't imagine it holding up in court.

      • For individuals, probably not, at least not if you're somewhere like Europe where consumer protection and data protection laws tend to be taken reasonably seriously. I'm not sure how I'd rate my chances in most US jurisdictions without real legal advice, though.

        For businesses, it could be a completely different story. For example, here in the UK, there are blanket consumer protection rules that make unfair contract terms unenforceable, but those rules do not extend to business-to-business contracts. Arguing

    • Let us know which bank. I'm sure some of us would switch!
  • Shop elsewhere (Score:5, Insightful)

    by ysth ( 1368415 ) on Thursday December 11, 2014 @07:14PM (#48577389)

    If a bank/CD/whatever other crazy thing requires you to install software to use it, take your business elsewhere.

    • >"If a bank/CD/whatever other crazy thing requires you to install software to use it, take your business elsewhere."

      You try telling that to your Finance Department or Board. We did- and it fell on completely deaf ears.

  • I just read through the Bank of America Online Banking Service Agreement, and I don't see anything like this, nor is there any mention of IBM. Reading the Wikipedia page, it seems this is software used -inside- a bank.

    • by mlts ( 1038732 )

      I was wondering that. When used with a website, it would have to be a browser extension.

      In any case, this isn't too hard to defeat, just run it in a VM or a sandbox, and call it done.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Yes BOA pushes this:

      • Let's be clear: This is an Opt-In "feature". It is neither mandated nor included by default.

        (That doesn't make it less objectionable, but it does clarify how it could get onto your computer.)

        • >"Let's be clear: This is an Opt-In "feature". It is neither mandated nor included by default."

          That completely depends on the bank and the type of account. It was not optional with Suntrust business accounts. We are forced to use that s**t.

          • Well, the original thread was on BOA. Sounds to me like your business needs to change its bank.

            • I wish we would. My pleas to Finance and Admin have been pretty much ignored. They don't think it is a big deal.

  • Not required - yes (Score:4, Interesting)

    by joncombe ( 623734 ) on Thursday December 11, 2014 @07:24PM (#48577489) Homepage
    I use a bank that likes to push this software. Everytime I log into the online banking you get an annoying "pop over" suggesting you install it, which I have to close each time. I've never installed it, and reading this very glad I didn't, I'm always suspicious of websites trying to push software as must have, even if it's banks doing it. My concern is banks moving towards making software like this mandatory, before they will allow you to log onto online banking. Go elswhere, well yes, for now, but if every bank insists on software like this? I've already heard banks can refuse to refund any fradulant transaction if they think you've not taken adequate protection. Would not installing the banks "recommended" software meen you haven't taken adequate protection? Yes I could go back to banking by phone (which is far less secure, of course) or in branches, but with more branches closing all the time, the latter probably won't be an option for much longer either.
    • by apraetor ( 248989 ) on Thursday December 11, 2014 @11:00PM (#48578799)
      Nail on the head. The recent trend towards use of debit cards attached to checking accounts is worrying; if used fraudulently you can be liable to $500 or more. On the other hand, a traditional credit card comes with a $50 max liability if the card is lost/stolen, and if the card numbers are stolen (but not the card) then you have $0 liability. I wouldn't be surprised to find out that the shift toward debit cards is supported wholeheartedly by the banks wanting to reduce their losses to theft -- they give you a nice shiny debit card with a credit card company logo as proof of trustworthiness and ease-of-use, and never mention your increased exposure.
    • by AmiMoJo ( 196126 ) *

      I've noticed some mobile banking apps try to report back to the bank that your device is rooted, presumably so they can refuse to pay out in the event of fraud. For example, the Lloyds Banking app does it. Fortunately I firewalled it before opening it so I was able to see the report going out (and being blocked) moments before the "sorry, your device is rooted, can't run this app, use the web site" message appeared.

  • I've been uninstalling the crap out of that program every single time a customer walks in with it installed because I didn't know what it was and I didn't like how invasive it appeared. It's good to know I was doing them a favor.
    • > I've been uninstalling the crap out of that program every single time a customer walks in with it installed because I didn't know what it was

      So all of these customers chose to install something, and without knowing what it was, you just took it upon yourself yo remove it. All this time you've been "uninstalling the crap out of it every single time", you didn't take 10 seconds to check Google and find out what it is?

      You might be very, very bad at your job.

      • Oh, I checked. The website made it sound like it was some sort of antivirus program that no one had ever heard of. When asked about it, some customers didn't even know what it was or how it had gotten on their computers. It installed a filter driver for all network adapters and at least two machines weren't getting online at all because of it malfunctioning. All of the customers already had an antivirus solution installed. Rapport started popping up on computers in the era of fake security software.

        You s
  • by iggymanz ( 596061 ) on Thursday December 11, 2014 @07:34PM (#48577577)

    from the company that provided the data processing automation for the Holocaust.

    IBM - tracking your Jews and other undesirables since 1933 (R)

    • Well i guess if this was 1933 you would have a valid point but why just IBM? Why not Mitsubishi who used captured soldiers/civilians as slaves? Im betting there are quite a few German companys that did bad things during WW2 we can lump in too hu? As far as trust i don't know 1 corporation that can be trusted. They all have been fined or got publicly exposed for poor security Target come to mind.
    • Clearly, pens are immoral.

  • Trusteer is KRAP! (Score:5, Informative)

    by Sir_Eptishous ( 873977 ) on Thursday December 11, 2014 @07:35PM (#48577583) Homepage
    We have had to deal with Trusteer here at work. It is utter krap and will fubar normal Windows installs. Essentially the only way to get this to work is to dedicate a VM to it. We are lucky we only have to use it occasionally.
  • The problem is not technology. The problem is the lack of legal protection or extension of the bill of rights to your data on your own property.
    To the guy suggesting we all run a virtual machine specifically to use online bank software. People shouldn't have to learn networking visualization because a clause buried in a EULA.
    Check out this documentary: Terms and Conditions May Apply: http://www.imdb.com/title/tt20... [imdb.com]
  • What does IBM plan to do with the collected information? If malware is present, will IBM inform you of that fact, or simply record what type it is for their records? Will IBM remotely remove said malware and then expect payment from us for doing so? Hmmm.
  • Such automatic shrink wrap electronic contracts are illegal if used by dual citizens of the EU and/or Canada resident in the US, under the terms of the Data Treaties the US Senate signed.

    Just saying.

  • Failure in EULA (Score:4, Interesting)

    by gnasher719 ( 869701 ) on Thursday December 11, 2014 @08:32PM (#48577979)
    It doesn't work that way.

    Usually, the software developer requires that you accept the EULA in order to get the right to use the software. Does that mean that you accepted the EULA if you use the software? It doesn't.

    It means that if you use the software, you _either_ accepted the EULA _or_ you committed an act of copyright infringement. However, IBM cannot know which one. Therefore, they cannot do things that would be illegal if you didn't accept the EULA, like accessing your files.

    (Many EULAs contain terms that allow you only limited amount of copying. That's completely legal, because either you accept the EULA and accept that you cannot make unlimited copies, or you don't accept the EULA and cannot legally make any copies at all. This EULA is different).
    • Might keep 17 U.S. Code  117 in mind.

      Copying for purposes of backing up your software is legal. Period.

    • It means that if you use the software, you _either_ accepted the EULA _or_ you committed an act of copyright infringement.

      It would be interesting to see what specialist lawyers in various jurisdictions would make of that argument.

      If when you use the software you also rely on any permission granted by the EULA that you wouldn't otherwise have, this could be instant game-over if it was considered to imply that you had agreed to the EULA as a contract for that reason instead. And if you explicit agreed to the EULA to download the software in the first place, that's probably instant game-over as well. But if you were relying on th

    • by AmiMoJo ( 196126 ) *

      The EULA is usually just a text file. You can edit it freely before installing the software, and then agree to whatever edits you made. In my experience they never bother to see if you made any changes, they just accept them blindly.

    • Why is any use without accepting the EULA illegal? Just because somebody says I have to sign a paper to use something I just bought doesn't mean I have to. (Doubtless some software is set up so getting around the EULA would fall afoul of the DMCA, but I'd be interested in knowing what I could do with a legitimately acquired copy of the software if I managed to legally bypass the EULA acceptance.)

  • Does this ' Bank Security Software ' work on Microsoft Windows?
  • "Welcometo the future. A pity you are too late to stop it. No one can stop me now!"

  • by Anonymous Coward

    Not everyone has this luxury, I understand, but surely 99% of the population can do without it?

    How much convenience are most customers really getting over using in-bank kiosks and ATM machines in order to configure automated payments and the like.

    Maybe it's just me, but I think banks being exposed to the Internet for what appears to be a small amount of convenience is just insane.

  • It _has_ to be secure.

  • Why are banks pushing this crap in the first place? I can't see entities like Bank of America spending their own money on security stuff unless its going to cost them more money not to.

    • Why are banks pushing this crap in the first place? I can't see entities like Bank of America spending their own money on security stuff unless its going to cost them more money not to.

      You are absolutely correct with your assessment. And your conclusion.

    • by ShaunC ( 203807 )

      Why are banks pushing this crap in the first place?

      For one, because they believe it allows them to shift liability for fraud onto the consumer. "Oh, your online banking credentials were compromised and your life savings was irrecoverably transferred to Outer Elbonia? And you didn't have our Trusteer software installed, as required by our terms of service? Very sorry to hear that, I guess you're shit out of luck, maybe you can ask the federal government to bail you out (insert raucous laughter here)."

  • I get prompted to download this regularly by my bank. However I use Linux, and they don't produce a Linux version. No idea if they plan to do so either.

    Strangely, I'm not that concerned. I would download and use if I used Windows though, even with the new EULA.
  • by Opportunist ( 166417 ) on Friday December 12, 2014 @03:16AM (#48579599)

    I wonder who was the genius who consulted the banks on this one, but my recommendation is to fire him.

    Out of a cannon.

    From the top of your HQ building.

    I do consultant work in the banking area. And the VERY LAST thing you need in this time and age is your customer to lose trust in you. It's the ONLY friggin' thing you still have, for crying out loud! And it's not like you're swimming in it in the first place, do your research (we did), the average customer places little trust in you. The only group of people that beats you in terms of untrustworthiness is politicians and other criminals.

    The other end of the spectrum is God. Yes, people place more faith in their imaginary friend these days. THAT's how far we got.

    Now, I know that you're not after their personal photos and their game cracks. Because you don't care about that shit. And yes, I have had that discussion with various banks and various security companies myself. But, and this is the critical part here, you HAVE TO keep your customer in the illusion that HE is in control. That HE gets to say if and whether you get any kind of data from him. That is CRITICAL!

    This will create a huge stink now. When all you had to do it is add a simple dialogue saying "Oh, there's something fishy here, we found this file and it looks like malware. Your security and that of your money is our primary concern, and we have this partner here who is our security expert, they'd look at it FOR FREE, we foot the bill, since our business has always been to make banking a safe and secure biz. You ok with sending us that file?"

    9 out of 10 people click yes on this anyway (run the phrase through your PR goons a few times, add a little fear mongering and it's 99 out of 100). Screw the 1% error margin, you get what you want and instead of now being seen as yet another power hungry, data grabbing leech you'd be the saint.

    Fuck, how did you drop the ball on marketing? That's the ONLY thing you're still good at!

  • Mandiants managed defense does this as well. As did the Incident Response actions that any responders do when they try to understand *what* was xfilled. So, get over it. IBM is just limiting liability.
  • Lots of apparent confusion here as to what Trusteer is and isn't.

    Trusteer is sold as a "holistic" solution. I don't have much experience with what they do in the browser, but it's also built into mobile banking apps. It's an anti-fraud measure (which isn't inherently bad, we all like to keep our money), and as such it's always used in a customer-facing way, not inside a bank. Most customers using mobile banking apps will probably never see a Trusteer EULA, as this would be covered by the bank's own legal bo

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.