There seems to be no online banking security regimen that's completely impervious to penetration by fraudsters, with attacks on business accounts and ACH fraud the latest vector to fall prey to massive compromise. IBM's ZTIC (Zone Trusted Information Channel) hardware security device offers respite from the type of man-in-the-middle and man-in-the-browser attacks that are currently plaguing business banking accounts.
The ZTIC plugs into a computer's USB port, requiring no driver installation. When the user opens a Web browser to connect to online banking, ZTIC creates a pass-through proxy connection to the bank's pre-configured Website. From this point on, any data sent by the user to the bank passes through the ZTIC and is displayed on its small screen. Users are prompted to "OK" or "Cancel" transactions by pressing a button on the ZTIC. The SSL session is protected because the keys are maintained on the ZTIC, rendering any PC malware ineffective.
"The only apparent drawbacks are the high cost per client of the device, and the fact that ZTIC does not prevent operating system attacks, like kernel or BIOS attacks," says Dominic van den Ende, whose research paper, "Online Banking: Attacks and Defenses" examined products and strategies to combat online banking fraud. ZTIC gets a bit of a break, since kernel and BIOS attacks are relatively hard to create, van den Ende says.
IBM unveiled a prototype of the invention about a year ago, and says its lead customer is nearing deployment. "My perception recently is that the interest is growing in a fairly strong way, there is more and more pressure," says Doug Dykeman, manager of the secure systems group at IBM's research lab in Zurich.
While the device does require investment on behalf of banks for purchase and distribution, there's a strong business case for banks to consider deployment of ZTIC. Businesses are losing billions of dollars each year to fraudsters - a trend that's getting worse according to most accounts. And there's also a growing number of lawsuits that could result in banks bearing some responsibility for these losses.
