IBM this week rolled out a security device it says will protect online banking and keep cybercriminals from being able to make fraudulent funds transfer even from a compromised PC.
The IBM technology, called Zone Trusted Information Channel (ZTIC), is a USB device that uses X.509 certificate-based encryption to set up a trusted channel with bank servers that routinely handle funds transfers and payments requests to make sure these requests are real.
The password-protected ZTIC device is plugged into a PC to allow the banking customer to verify logins and authorise any transfer by pressing a "yes"or "no"button related to payment details. Use of ZTIC doesn't replace Internet banking applications but simply intercedes with strong security at the critical moment an online decision has to be made about authorising an exchange of money or not.
"The user's PC is absolutely essential, it's where the Internet banking application runs," says Dr. Doug Dykeman, manager of the IBM research "Blue Z" team in Zurich, Switzerland, which came up with ZTIC. "We don't want to change that."
But what IBM does want to change how criminals brazenly exploit PCs, often by means of sophisticated viruses and trojans, to add fake payment information to funds transfers so that money is transferred to cybercrime "money mules."
"The PC will never be perfectly secure," if only due to the openness of the PC's design, Dykeman says. So IBM's approach with ZTIC is to assume banking customers will keep using it, but that "it can't be completely trusted."
Instead, the user in the online banking process turns to the ZTIC device, which sets up the secure channel using certificate-based authentication and Transport Layer Security to the back-end server, which can maintain a whitelist of those authorised with accounts to receive payments.
"Once you authorise with your ZTIC device, subsequent payments don't have to be verified," Dykeman says. ZTIC is basically "a security window between the user on the one end and the application running on the other end. The server will interact with ZTIC, and it says please confirm this account where the money is transferred to."
Swiss banking giant UBS is the first bank to use the ZTIC technology and since March of this year has made the ZTIC device available to customers. But IBM is making ZTIC available globally and also anticipates there will be ways that ZTIC could be used in other applications besides online banking.