IBM Develops ZTIC A USB Stick To Secure Online Banking

IBM has developed the ZTIC (Zone Trusted Information Channel), essentially a USB stick, designed to secure online banking by using full TLS/SSL authentication directly to the bank site, bypassing the PC's software and keyboard entirely therefore avoiding key loggers and malware on the PC.

The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a "pass-through" proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC.

In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.

Various alternatives exist for protecting users against state-of-the-art attacks to online authentication, such as chip card technology or special browser software. The core difference between the ZTIC and these alternatives is that the ZTIC does not rely whatsoever on any software running on the PC, such as device drivers or user interface elements, as these can in principle be subverted, e.g., painted over, by attackers' malware. Another feasible solution to this problem is to use the user's mobile phone/SMS as a channel to convey transaction confirmation details between server and user ("mTAN"). Until more mobile phone malware appears, such solutions are comparable to the ZTIC with regard to the degree of security they provide. Hence, at this time, the only differences between ZTIC and mTAN solutions are economical (each mTan incurs the cost of an SMS, whereas the ZTIC, once it has been issued, does not incur any further incremental costs per transaction), privacy-related (banking transaction information sent over GSM networks) and potential convenience issues (the user has to manually copy mTANs from the phone into the browser).