IBM looks to secure Internet banking with USB stick

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

A prototype of the device, called ZTIC (Zone Trusted Information Channel), is on display for the first time at the Cebit trade show this week. IBM hopes to entice banks into buying it for online banking, which saves banks money on personnel costs but is constantly under siege by hackers.

When plugged into a computer, ZTIC is configured to open a secure SSL (Secure Sockets Layer) connection with a bank's servers, said Michael Baentsch, product manager for BlueZ Business Computing at the Zurich lab.

ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.

Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.

The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

"If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.

IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it.

Using ZTIC would also prevent phishing attacks, where a fraudulent Web site tries to elicit sensitive details from a user, and pharming attacks, where DNS (Domain Name System) settings have been tampered with, Baentsch said. ZTIC checks to ensure that the Web site has a valid security certificate.

IBM has internal figures on how much the ZTIC might cost for banks, but Baentsch wouldn't reveal them, saying that it would depend on the final design specifications of the ZTIC and other factors.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags USBonline bankingIBM Research

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?