Security on a stick is the tongue-in-cheek reference given to a new device IBM has placed on display at the Cebit tradeshow this week. The device, called ZTIC (one Trusted Information Channel), is a USB-sized device that encompasses a smartcard reader and visual display with the aim of curbing banking fraud.
IBM shows off USB key designed to secure Internet Banking (IMG: IBM Zurich Research Lab)
ZTIC was developed by a team of researchers from IBM's Zurich Research Lab. What it does is add an extra layer of security, which IBM hopes to entice banks into purchasing for customers. The security offered is protection from Man-in-the-Middle attacks, which target banking customers, the “Silent Banker” attacks.
IBM describes ZTIC as a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC's software for all security functionality. It registers as a USB Mass Storage Device, with no driver loading needed. This allows a customer to use it anywhere they want, even while connected to a rogue wireless access point, or on a computer riddled with Malware.
Once installed, ZTIC registers a "pass-through" proxy configured to connect with pre-configured banking Websites. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC, meaning that MITM attacks and other Malware are rendered useless.
“Various alternatives exist for protecting users against state-of-the-art attacks to online authentication, such as chip card technology or special browser software. The core difference between the ZTIC and these alternatives is that the ZTIC does not rely whatsoever on any software running on the PC, such as device drivers or user interface elements, as these can in principle be subverted, e.g., painted over, by attackers' Malware,” the Zurich Research Lab said in a 2008 press release.
Even if a user's PC should be infected by Malware that manipulates the information flow in the PC, the user can cancel the transaction while displayed on the ZTIC device. What the user sees on the ZTIC display is identical to what the server "sees," no matter what malicious intervention may occur on the PC or anywhere in the Internet. "Owing to the direct secure connection between ZTIC and server, the device essentially provides a safe window to the server," Dr. Peter Buhler, Manager Computer Science at IBM's Zurich Research Lab, explained.
The device is just a prototype, so there are no massive real-world tests to measure performance, other than the trials that a few banks have performed, but those trials went well according to IBM.
Aside from MITM attacks, IBM says that ZTIC would also prevent Phishing attacks, DNS Hijacking, and other types of attacks that alter the browser.
The video below, dated October 2008, explains the system with a little more detail.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story