IBM looks to secure Internet banking with USB stick

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

A prototype of the device, called ZTIC (Zone Trusted Information Channel), is on display for the first time at the Cebit trade show this week. IBM hopes to entice banks into buying it for online banking, which saves banks money on personnel costs but is constantly under siege by hackers.

When plugged into a computer, ZTIC is configured to open a secure SSL (Secure Sockets Layer) connection with a bank's servers, said Michael Baentsch, product manager for BlueZ Business Computing at the Zurich lab.

ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.

Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.

The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

"If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.

IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it.

Using ZTIC would also prevent phishing attacks, where a fraudulent Web site tries to elicit sensitive details from a user, and pharming attacks, where DNS (Domain Name System) settings have been tampered with, Baentsch said. ZTIC checks to ensure that the Web site has a valid security certificate.

IBM has internal figures on how much the ZTIC might cost for banks, but Baentsch wouldn't reveal them, saying that it would depend on the final design specifications of the ZTIC and other factors.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online bankingUSBIBM Research

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?