New IBM USB Device Secures Online Banking Transactions

IBM has just unveiled a new USB device aimed at securing online banking transactions from any PC running any software. The Zone Trusted Information Channel (ZTIC) was developed at the IBM research laboratory in Zurich, Switzerland and the first pilot devices have been manufactured for trials.

The ZTIC device tackles the problem of man-in-the-middle attacks or malware applications running on a PC used for online banking activities. “In the presence of an ever more professionally operating e-crime scene, it became obvious that PC-software based authentication solutions were potentially vulnerable and that we needed to innovate to stay ahead. That was the starting point for developing the ZTIC,” explained Dr. Peter Buhler, Manager Computer Science at the IBM Research Lab in Zurich.

ZTIC resembles a USB stick, but has an additional display and uses the TLS/SSL protocol for data transmission. Once connected to a computer running any of the major operating systems, ZTIC is detected as a mass storage device and does not require any special driver. Then, it sets up a proxy already configured to connect with a banking server.

All the transactions the user will make in the browser will pass through the proxy, thus ensuring that proper encryption is being used. Since the encryption keys are located on the ZTIC device, they are protected from being sniffed by malware or intercepted by attackers. But just in case a Trojan is able to intercept and modify transactions, by changing for example destination bank account details, the device uses its display for a manual user confirmation.

The display basically shows exactly the same information the banking server would receive so the user can check if all the details are intact before confirming the transaction by pressing the OK button on the device. “Owing to the direct secure connection between ZTIC and server, the device essentially provides a safe window to the server,” notes Dr. Buhler. In addition, the device features an optional smartcard reader, thus a smartcard can be used to improve security even more.