Some banks say you should use keystroke encryption with a program called Trusteer for online banking, they've just found a flaw in it that actually allows criminals to see your keystrokes! It takes less than a minute to hack, and in fact just puts a target on your back because they know that you use online banking if you run this program.

"At least seven million customers have installed the software, which promises to verify that a bank’s website is genuine and to block keyloggers and other malicious software that is used by criminals to steal users’ banking details.
NatWest, the Royal Bank of Scotland, HSBC, Santander, first direct, The Co-operative Bank and Nationwide all actively promote Trusteer to their customers and offer it for no charge. Some force users to click through a screen recommending that they download the software before they can log into their online banking account.
But Times Money has seen evidence that the software’s keylogger protections — designed to prevent fraudsters recording users’ login and credit card details — can be hacked by computer security specialists with “minimal effort” in less than a minute, and that the program signposts how to do this in the names it gives to various functions."

From the Times

Thought some of you might appreciate a heads up.

I use smile back (co-op) and they've been popping up a 'please install trusteer' page in between the front page and the login page for a few weeks. I'd already read this, have a poor opinion of bank online security efforts in general - seriously guys when you have to put a warning saying 'don't let anyone look over your shoulder when you do this bit' on part of your security mechanism, you've failed - and have no intention of letting my bank fiddle with my machine anyway, so I wasn't going anywhere near it.

The messages were becoming more and more insistent over time and I figured sooner or later they'd remove the 'skip' option on the popup page. So I changed the shortcut that pointed to the front page to the page that's the first stage of the secure login. Bingo, No more popups. So If I didn't think much of their abilities as web coders before, you can imagine what I think of them now.

Natwest have always recommended I download XYZ. The worst bit is you can't skip it like the poster above. You log in with your details and then before you can see your account, it takes you to a page where you have to select that you've read XYZ.

Lloyds just gets on with it! They screw you over for overdraft fees and international fees, but at least they do so efficiently and safely :p

Is this the Rapport software?
I seem to recall there being a thing in the news about it last year.

*googling*

I am with Lloyds and they use Clicksafe. Periodically I get a request to enter my Clicksafe password. I have a randomly generated password so feel reasonably secure though maybe I should look at changing it as it is only 16 digits long. As you say I think that my system is probably more secure than the banks. I change passwords regularly and my browser is set to never store user names or passwords. My concern with such a system is that if it has been hacked you have absolutely no way of proving that you did not spend it yourself. It is similar to the problem with PIN's and debit and credit cards

Exactly. It's got nothing to do with saving your money, it's got everything to do with saving the bank's money.

Reminds me very much of this.

I completely agree with that. I cannot remember any apart from my master password and that is never written down. Though having amnesia means that I have to come up with a solution to passwords. The fact that there are good commercial applications that solve that for me is a plus. Though opted for ones that are not hard to confuse with similar symbols. So "TqDnpLQkJJsCe8ieJQyRuHgusbZf3R" might be a typical password.

The banks need to up the security for customers. Password managers are the best solution but many websites make it very hard to change the password. On one site I have used there is no option for changing passwords or the option for password length are way too short.

http://blog.rlr-uk.com/2009/05/trusteer-or-no-trust-ere.html

It's also been mentioned here before:
http://www.x404.co.uk/forum/viewtopic.php?f=3&t=6748

Also, slightly tangentially, there's this - http://krebsonsecurity.com/2011/07/zeus-trojan-for-google-android-spotted/.

I don't install anything on my PC because a large multinational corporation tells me to. I would suggest that as a fairly sensible strategy for everybody...

All the Windows machines in the household have Norton Internet Security installed, I imagine that's a lot more helpful than the Trusteer plugin. Still, I imagine Trusteer Rapport can be useful if it's just one part of your security arsenal, rather than the only part.

Totally I prefer to get advice from people on here and elsewhere on such measures. Much safer, and the advice is much better.

I'm a little surprised at that from you Linux. I think you'll find that if you lock down your browser with noscript etc and don't allow idiots to use your PC, "internet security" suites are irrelevant.

I take it you don't use anything on Linux?

I don't use an antivirus at all, I find my PC is much quicker at doing work* without one.


*playing Starcraft 2