IBM looks to secure Internet banking with USB stick

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

A prototype of the device, called ZTIC (Zone Trusted Information Channel), is on display for the first time at the Cebit trade show this week. IBM hopes to entice banks into buying it for online banking, which saves banks money on personnel costs but is constantly under siege by hackers.

When plugged into a computer, ZTIC is configured to open a secure SSL (Secure Sockets Layer) connection with a bank's servers, said Michael Baentsch, product manager for BlueZ Business Computing at the Zurich lab.

ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.

Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.

The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

"If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.

IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it.

Using ZTIC would also prevent phishing attacks, where a fraudulent Web site tries to elicit sensitive details from a user, and pharming attacks, where DNS (Domain Name System) settings have been tampered with, Baentsch said. ZTIC checks to ensure that the Web site has a valid security certificate.

IBM has internal figures on how much the ZTIC might cost for banks, but Baentsch wouldn't reveal them, saying that it would depend on the final design specifications of the ZTIC and other factors.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags online bankingUSBIBM Research

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?