IBM is testing a new USB device that, according to the company, could stop keyloggers and malicious software from gaining access to banking passwords and sensitive account information.
Once plugged into a USB port, the Zone Trusted Information Channel (ZTIC) is registered as a USB mass storage device. After starting the ZTIC proxy without using any software or drivers on the computer, the user then opens a Web browser to conduct secure banking transactions. The device's ability to bypass a person's PC stops malicious programs from picking up keystrokes to harvest passwords and other sensitive data, said Gunter Ollmann, chief security strategist at IBM's Internet Security Systems division.
"In the traditional sense, all current security devices are built into the clients, relying on the human interface," Ollmann said. "The goal here is to make the transaction more secure and less complex."
Security researchers and vendors have warned that attackers are getting more sophisticated, hiding malicious software on PCs that do more than just identify and steal account passwords, Ollmann said. Some malware is programmed to conduct extra file transfers when a victim is in their bank account. The software adjusts balances and refreshes pages so the victim is unaware that a malicious transfer has taken place.
IBM's USB stick, which was developed in the company's Zurich research lab, is the first of its kind. Some banks in Europe have deployed external validation technologies such as smart cards and other tokens for high value accounts, but so far the trend has not caught on. The technology has been too expensive and too complicated for consumers, Ollmann said. Ollmann said IBM's new USB device has recently been manufactured and is in the pilot phase, available only for banks to set up trials with their customers.
"With more complex validation systems a lot of work had to be done by the end user, so we were weary of this as well and we simplified the technology," he said. "In recent years the technology has matured and the price point is dropping considerably."
The ZTIC supports all operating systems and can be configured to use multiple banks. The SSL session is protected by keys maintained only on the ZTIC, Ollmann said.
The device also has an optional smart card reader. It supports both the SSL and transport layer security (TLS) protocols to secure data flow between applications and bank servers. The software also supports common chip-card based challenge/response protocols, Ollmann said.