Bank of America Offering Trusteer’s Rapport Plug-in to Protect Online Banking Customers

image If there was any question as to whether Trusteer  had become the industry standard in online banking protection, it was answered this week. Bank of America is now offering the optional Rapport protection to its 29 million online banking customers. Ann Carrns in the NY Times Bucks blog wrote about it a week ago, but I guessed I missed it in all the April Fools Day commotion.

ING Direct was first to offer the program, launching in May 2008. Since then dozens of financial institutions have followed including Zions, PSECU, CIBC, PayPal, Santander, RBS and about 70 more (see full client list below in note 2).

In total, Trusteer says it’s been downloaded more than 20 million times.

Analysis: It’s a good move by Bank of America. While Rapport does not protect from all possible threats, it does seem to provide material improvements. The bank gets a double benefit: less fraud and improved perceptions from customers concerned about security.

The program is not without downsides, however. It requires a download and installation, though thankfully not a full reboot (see second screenshot). And like any software program, there are real and perceived compatibility and performance issues (see the comments on the NY Times blog entry).

Bank of America would be wise to make it easier for customers to find out more info on the program. There is only a tiny link buried at the bottom of the interstitial ad for more info. And that screen goes away after you press the download button.

Users who are surprised by the download warning, and even worried that they’ve been attacked by a virus, will find it difficult to find more info at that time. Rapport is not yet mentioned in the bank’s security area accessible from online banking. Only by going back to the public site and searching for “Rapport” was I able to find the page offering more info (third screenshot).

Many users are going to need more hand-holding and reassurances before they install the program (note 1). The bank could save itself, and its customers, from thousands of harried support calls, by adding a detailed a “how it works” tutorial integrated into the interstitial.

Bank of America interstitial ad after online banking login (7 April 2011, 2 PM):

Bank of America interstitial ad after online banking login

To use the service, users must download and run an executable file (Windows version below, there is also a Mac version)

To use Rapport, BofA users must download and run an executable file

Bank of America Trusteer Rapport info page (link)

Bank of America Trusteer Rapport info page


1. For more info on Trusteer and other security topics, see Online Banking Report: New Security Techniques (Sep. 2008)
2. Trusteer financial clients (per company)

Trusteer Quantifies the Biggest Online Banking Security Weakness: The End User

image I’ve often wondered how many people use the same username/passwords at their bank as they do at other random websites. I figured it was a substantial number, but never expected it to be as high as the 73% Trusteer cited in a recent white paper (note 1). That’s why most financial institutions have used “multi-factor authentication” for years.

One of the most common multi-factor techniques is to ask additional questions if the bank detects a login from an unknown computer. However, it’s possible that these same people are also using the same “secret question” answers at non-secure websites, defeating this multi-factor approach.   

Luckily, it’s still relatively difficult to remove money from most U.S. consumer accounts because online interbank transfers are more tightly controlled, or simply not offered. However, if crooks are able to log in to online/mobile banking and determine the user’s account numbers (debit, credit, or checking), a number of more lucrative frauds can be engineered.

What’s a bank to do:

  • Use secret questions that are not commonly used across the Web. Or allow users to create their own, but caution them not to use ones they see at other non-banking websites.
  • Create an additional out-of-band authentication process (e.g., text message an approval code) for moving funds out of an account.
  • Do not allow online banking users to see their own account numbers online
    (note 3)
  • Educate/encourage customers to use different username/password for online banking than for other non-financial sites
  • Financial institutions using Trusteer’s Rapport service can identify which customers are sharing username/passwords at less-secure sites and ratchet up internal fraud control settings for these customers

And the most effective method, which we don’t recommend because it’s just too painful for the user experience:

  • Force users to make more challenging usernames and/or password such as those with a capital letter, number and/or special character

Silicon Valley Bank (SVB) offers Trusteer’s Rapport (link, 2 Feb. 2010)


1. While 73% shared banking passwords with other sites, less than half the total, 47%, shared BOTH username and password. Two other data points:
– 65% of user-selected banking usernames were used elsewhere
– 42% of bank-selected banking usernames were used elsewhere
2. Trusteer’s data was compiled over 12 months using its plugin software running on more than 4 million computers (see previous post).
3. There’s still the issue of the easy-to-read account number on check images; it would be nice to mask it, but that’s probably not worth the expense) 
4. For more info on Trusteer and other security topics, see our previous reports such as, Online Banking Report: New Security Techniques (Sep. 2008)

Zions Bank also offers Trusteer Rapport

image In yesterday’s post, I missed an important client of Trusteer’s anti-malware software. Zions Bank, a leader in showcasing its online security efforts (see 2006 post on multi-factor authentication), is the only Trusteer client to feature the program on its homepage (see below).

Zions Bank home page (10 June 2009)


Zions Bank security page (link)


 Zions Bank Rapport page (link)


PSECU offers free Trusteer anti-malware browser plug-in

image Pennsylvania State Employees Credit Union is the latest big-name client for Trusteer’s anti-malware Rapport browser plug-in. The CU’s 350,000 members, or anyone else for that matter, can now download the free program via a link on the PSECU security page.

Current clients of Trusteer:

For more information and analysis, see previous posts on Trusteer and our Online Banking Report on New Security Techniques.

Trusteer homepage showcases ING Direct and PSECU (8 June 2009)


PSECU “security software” page (link, 8 June 2009)


Trusteer’s Rapport Security Solution Now Available at UK’s RBS and NatWest

image Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it’s not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank’s RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don’t have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium’s SafeCentral (note 2) and Check Point’s ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)


Rapport download page at RBS (link, 23 March 2009)


1. Later ING Direct Canada and ING Direct’s Sharebuilder added Rapport support.
2. Authentium demo’d SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo’d ZoneAlarm at Finovate 2008 (video here).

Online Banking Report Looks at New Security Technologies that Promise More Peace of Mind

image With bad news pouring down from all corners of the financial services world, it’s a difficult time to be a bank marketer no matter what condition your financial institution is in (see note 1).

imageBut besides sending reassuring emails to your customers, highlighting your strong balance sheet on your website (see inset), and for the few with blogs, dropping the occasional rosy post into the RSS or Twitter feed (note 2), what’s a banker to do?

When fear is rampant, little things can make a difference. Your customers have long been nervous about banking online. Most aren’t afraid enough not to use it, but lingering doubt remains.

Now might be a great time to follow the lead of ING Direct, Firstrade, and Muriel Siebert and introduce a software solution that provides extra security for online banking. While it won’t make a Fannie Mae shareholder any happier, it’s reassuring in these times that at least there are no crooks stealing your username and password.

obr_bestofwebOnline Banking Report publishes Security 4.0 (note 3)
In the latest Online Banking Report, we look at several promising software solutions that allow even malware-infested users to connect safely to their bank. Both solutions earned OBR Best of the Web designations (note 4): 

  • Rapport from Trusteer, now being distributed by ING Direct in the United States and Canada (previous post here)
  • SafeCentral from Authentium, being distributed by Firstrade and in testing at several major banks (Finovate Startup demo video here)

Online Banking Report: Security 4.0 Tabl of Contents Sep 2008We also take a closer look at Bank of America’s SafePass (previous post here), which is an easy way for customers to add an extra security layer to their login, although it won’t prevent certain malware to hijack the session. See the inset for the complete Table of Contents.

Online Banking Report subscribers may download it now here. Others may download abstract here, or purchase here. Cost is US$495. 

1. But be thankful if your financial institution is not in the headlines right now. I’m in the hometown of WaMu and the headlines this morning were not pretty.
2. Blog post from Verity CU on 16 Sept.; Twitter update from First Federal today   
3. Our fourth full Online Banking Report on security/privacy; previous reports were #119, #93/94, and #48
4. OBR Best of the Web awards are given periodically to pioneering online banking features. It is not an endorsement of the company or product, just recognition for what we believe is an important development. Trusteer and Authentium were the 71st and 72nd recipients of the designation since we began awarding them in 1997.

ING Direct to Offer Desktop Security Plug-in from Trusteer

image While everyone wants better online banking security, the business case for most solutions is elusive. Even the simple step of adding an password in front of sensitive transactions can cost millions in customer service, enrollment procedures, employee training, and other soft costs.

So financial institutions, especially in the U.S., have taken a pragmatic approach to security, adding behind-the-scenes monitoring and making it difficult to transfer large amounts of cash out of the bank, rather than incur the expense of more robust login security. Banks have been especially reluctant to get involved in the security of the customer’s desktop due to the potential tech support costs and liability issues.

That’s what makes ING Direct’s new solution especially novel. The large U.S. direct bank, which has pioneered several security procedures, including multi-factor login and PINpad data entry, will offer a downloadable 400k plugin that creates a “secure tunnel” from the user’s computer to the bank (more analysis from Gartner’s Avivah Litan here). 

According to the software provider, Israel-based Trusteer, even if the user’s computer is infected with malware, the company’s Rapport software defeats all attempts to view, capture, or take over the transaction. It also encrypts keyboard entry without impacting the speed of the interaction with the bank. If it works as billed, it could be a boon for online banking security. 

The optional plug-in is expected to be made available to the direct bank’s 14 million customers worldwide, including 6.5 million in the U.S. The software is already in use by U.S. brokerage Muriel Siebert & Co. which mentions it in the What’s New section of its homepage (see screenshot below; read more here).

” width=”539″ height=”378″>

The software is now available here. It is free-of-charge to communicate with ING Direct and three other websites. Users will likely have the option to purchase a premium version that communicates with a larger number of websites. 

This so-called freemium business model should help minimize the cost of the software to the financial institution. But the bigger cost issue for the bank is the customer service expense. ING Direct, which has famously kept customer-service costs down by focusing on serving only profitable customers, likely will offload as much of the tech-support burden as possible to Trusteer. But there’s no such thing as zero impact. So it will be interesting to see if they can make the ROI work across 6.5 million customers, many of whom haven’t a clue about safe computing basics.

A competing system, Safe Central from Authentium, was showcased at our Finovate Startup conference in April. The full-length demo of the program will be available here within a few days.