Bank of America Offering Trusteer’s Rapport Plug-in to Protect Online Banking Customers

image If there was any question as to whether Trusteer  had become the industry standard in online banking protection, it was answered this week. Bank of America is now offering the optional Rapport protection to its 29 million online banking customers. Ann Carrns in the NY Times Bucks blog wrote about it a week ago, but I guessed I missed it in all the April Fools Day commotion.

ING Direct was first to offer the program, launching in May 2008. Since then dozens of financial institutions have followed including Zions, PSECU, CIBC, PayPal, Santander, RBS and about 70 more (see full client list below in note 2).

In total, Trusteer says it’s been downloaded more than 20 million times.

Analysis: It’s a good move by Bank of America. While Rapport does not protect from all possible threats, it does seem to provide material improvements. The bank gets a double benefit: less fraud and improved perceptions from customers concerned about security.

The program is not without downsides, however. It requires a download and installation, though thankfully not a full reboot (see second screenshot). And like any software program, there are real and perceived compatibility and performance issues (see the comments on the NY Times blog entry).

Bank of America would be wise to make it easier for customers to find out more info on the program. There is only a tiny link buried at the bottom of the interstitial ad for more info. And that screen goes away after you press the download button.

Users who are surprised by the download warning, and even worried that they’ve been attacked by a virus, will find it difficult to find more info at that time. Rapport is not yet mentioned in the bank’s security area accessible from online banking. Only by going back to the public site and searching for “Rapport” was I able to find the page offering more info (third screenshot).

Many users are going to need more hand-holding and reassurances before they install the program (note 1). The bank could save itself, and its customers, from thousands of harried support calls, by adding a detailed a “how it works” tutorial integrated into the interstitial.

Bank of America interstitial ad after online banking login (7 April 2011, 2 PM):

Bank of America interstitial ad after online banking login

To use the service, users must download and run an executable file (Windows version below, there is also a Mac version)

To use Rapport, BofA users must download and run an executable file

Bank of America Trusteer Rapport info page (link)

Bank of America Trusteer Rapport info page


1. For more info on Trusteer and other security topics, see Online Banking Report: New Security Techniques (Sep. 2008)
2. Trusteer financial clients (per company)

Out of the Inbox: ING Direct Reinforces Security Protections

image No matter how long you’ve been banking online and no matter how good you are at keeping your computer virus- and malware-free, there’s always the nagging concern that this could be the time where you end up as part of the national fraud statistics.

That’s why banking websites need to maintain a solid “perception of security” around the login box. Those padlocks, security FAQs, and so forth are an important reminder to customers that the bank is doing all it can to protect their money.

But it’s also important to reach out every once in a while, annually should be enough, through email and statement messaging, to summarize all the protections you’ve put in place. Saturday, we received just such a message from ING Direct (see below).

As usual, the direct-banking giant did a great job marrying conversational text with its trademark minimalistic graphical style to reassure customers that they are safe banking online at ING Direct.

The bank has long been ahead of the “security curve,” at least in the United States. It was first with a pin pad for secure password entry. It was one of the first with a security-challenge question and personalized anti-phish emails. More recently, they were the first bank in the world to deploy Trusteer’s Rapport browser plugin.

ING Direct USA email to customers outlining security precautionsSaturday’s email discussed four security features:

  • How to identify legitimate emails from phishy ones
  • Reminder to look for your pre-selected image and phrase at login
  • Explanation of the pin pad for secure data entry
  • Encouragement to register your computer

One other area that could have been addressed is mobile-phone security. Smartphone users have significant security concerns about mobile banking. The bank missed an opportunity to address them and tout its relatively new iPhone app as well.

But, all-in-all, it’s a worthy effort from ING Direct, and something every financial institution should have in its annual messaging plan (note 1).

Email Header



Date: Sat., Oct 16, 2010, at 10:39 AM

Subject: Here’s how we protect you


Note: For more info on possible customer messaging topics, see the most recent Online Banking Report.

SmartyPig Allows Customers to Choose Level of Account Detail in Email Communications

image SmartyPig is the first of my personal banking accounts that allows me to choose the level of detail provided in email alerts. The startup just moved away from sending detailed info in all messages to offering the option to receive a general notification that requires logging in for specific balance/transaction info (see below; link to SmartyPig blog post).

This is a basic level of customer choice that every financial institution should put into their product roadmap. For me, and a great many customers, alerts are practically worthless if they don’t include some detail on the transaction. On the other extreme, many customers are not at all comfortable with actual data being included in an email and won’t use alerts if that is the only choice. Most customers fall somewhere in between. 

In the future, it won’t be a black-and-white decision. Users will be able to select varying levels of detail depending on the account, balance level, email address used, time of day and so on.


And while we are talking about SmartyPig, check out their very thorough security section. The startup covers far more ground than most financial institutions.  Here are the topics covered:

  • White-hat hacker tested via Primeon
  • Verisign Extended Validation SSL
  • Security scanned daily by McAfee
  • TRUSTe privacy seal
  • FDIC info for its banking partner
  • Secure login
  • Firewall
  • Encryption
  • Constant surveillance
  • Technology updates
  • Browser support

Note: For more info on email alerts, refer to our most recent Online Banking Report.

Bank of America Cleaning Up its Customer Records at Login, but Why the Phone Call?

This is a somewhat perplexing message to receive after logging in to online banking. It seems almost phish-like (especially with that old-school corded phone in the picture):

A recent review of your account indicated that we are missing your date of birth. We use this information to help verify your identity. Please call us at the 1.800 Customer Service number on the back of your credit card so we can update your file.

I guess I can understand the bank wanting my birth date, but it brings to mind several questions:

  1. Why are they asking me now? I’ve three accounts there, with one dating back to the 1980s. Is something wrong? Has my account been accessed by someone else? Then my more cynical side thinks, did this request come from the marketing dept. or the security folk?  Bottom line: the bank should provide a more detailed explanation via a “more info” link.
  2. I have to CALL, really? Why can’t I do this online? Will I have to endure a cross-selling session when I make the call? Will I have to go through the entire phone tree to get to an operator? The least the bank could do is provide a direct line for the task.

The whole thing seems like a ridiculous waste of time. A five or ten-minute journey through call center menus in order to provide six numbers to a live operator. Plus, won’t this extra call-in requirement drastically reduce user response? 

Bank of America interstitial after logging in to online banking (14 Oct 2009, 5 PM Pacific)


PSECU offers free Trusteer anti-malware browser plug-in

image Pennsylvania State Employees Credit Union is the latest big-name client for Trusteer’s anti-malware Rapport browser plug-in. The CU’s 350,000 members, or anyone else for that matter, can now download the free program via a link on the PSECU security page.

Current clients of Trusteer:

For more information and analysis, see previous posts on Trusteer and our Online Banking Report on New Security Techniques.

Trusteer homepage showcases ING Direct and PSECU (8 June 2009)


PSECU “security software” page (link, 8 June 2009)


Trusteer’s Rapport Security Solution Now Available at UK’s RBS and NatWest

image Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it’s not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank’s RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don’t have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium’s SafeCentral (note 2) and Check Point’s ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)


Rapport download page at RBS (link, 23 March 2009)


1. Later ING Direct Canada and ING Direct’s Sharebuilder added Rapport support.
2. Authentium demo’d SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo’d ZoneAlarm at Finovate 2008 (video here).

Stealth Finsphere Corp Lands $10 mil for Mobile Transaction Verification Services

imageLast week, the Puget Sound Business Journal reported on a Pacific Northwest stealth startup that’s receiving a lot of attention from Silicon Valley, at least measured in dollars. The $10 million round for Finsphere is an impressive endorsement, especially given the apparent involvement of prominent VC Mohr Davidow.

There’s not a lot we know about the company other than the founders are out of the wireless industry, and the company’s services are described as “location-based transaction verification services.” That sounds like using the GPS-based or triangulated location of mobile phone users to authenticate card transactions and/or online banking logins. Armed with the GPS reading, card companies would know that you (or at least your mobile phone) are where your credit card activity says you are, e.g., buying a tank of gas in Washington D.C.

With GPS capabilities coming to the iPhone next month, this could be a very large market indeed. If we are right about the product, we’ll try to convince the company to demo at one of our Finovate conferences.