IBM looks to secure Internet banking with USB stick

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

A prototype of the device, called ZTIC (Zone Trusted Information Channel), is on display for the first time at the Cebit trade show this week. IBM hopes to entice banks into buying it for online banking, which saves banks money on personnel costs but is constantly under siege by hackers.

When plugged into a computer, ZTIC is configured to open a secure SSL (Secure Sockets Layer) connection with a bank's servers, said Michael Baentsch, product manager for BlueZ Business Computing at the Zurich lab.

ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.

Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.

The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

"If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.

IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it.

Using ZTIC would also prevent phishing attacks, where a fraudulent Web site tries to elicit sensitive details from a user, and pharming attacks, where DNS (Domain Name System) settings have been tampered with, Baentsch said. ZTIC checks to ensure that the Web site has a valid security certificate.

IBM has internal figures on how much the ZTIC might cost for banks, but Baentsch wouldn't reveal them, saying that it would depend on the final design specifications of the ZTIC and other factors.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags USBonline bankingIBM Research

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?