• On MovieTome: The next Marvel mutant movie?
October 28, 2008 10:01 PM PDT

Banking security on a USB stick

by Elinor Mills

IBM was set to unveil on Wednesday a prototype USB device designed to protect people doing online banking from having their data stolen or compromised.

The device, which looks like a memory stick with an integrated display, creates a secure channel to a bank's online transaction server. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe.

The user can log on and validate transactions using the device's display and a smart card can be inserted into the device, providing an added layer of security to protect transmissions from man-in-the-middle interceptions, IBM said.

The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC.

Developed at IBM's Zurich Research Lab, pilot devices are ready for bank trials. They do not require changes in the bank server software or the client software and they run on all major client operating systems.

IBM Research's Zone Trusted Information Channel is a USB that makes online banking safer.

(Credit: IBM Research)

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
advertisement
Click here!
Recent posts from Security
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Hacker breaks into jailbroken iPhones, asks for $7
Malwarebytes accuses rival of software theft
Security firm M86 acquires Finjan
Add a Comment (Log in or register) (14 Comments)
  • prev
  • 1
  • next
by JasonTechy October 29, 2008 12:06 AM PDT
IBM is a little behind the times Nortel just released theirs last month and Network Intercept released theirs a few months before that!
Reply to this comment
by amckenz October 29, 2008 6:03 AM PDT
Do the banks charge for these devices?
by rdnetto October 29, 2008 12:44 AM PDT
Doesn't requiring it to go through the PC make the whole concept of a secure device redundant?
Reply to this comment
by SJ2571 October 29, 2008 5:31 AM PDT
That's what I was thinking. If it's connected to a PC, and that PC has a keylogger running... say no more?
by timber2005 October 29, 2008 7:58 PM PDT
From my understanding... "The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC. " it sounds to me that its not key pressing that is done, but the device somehow securely (and very very very likely) send the encrypted data direct to teh server. No keypressing by the user, no information ented into the form automatically.
by witter22 October 29, 2008 5:17 AM PDT
The same benefits can be derived for a much lower cost by using Phone based Out of Band Authentication like a service from Authentify.
Reply to this comment
by CutterJeff October 29, 2008 6:56 AM PDT
Well, say some more -
It's not using your keyboard. "user can log on and validate transactions using the device's display"
and " smart card can be inserted "
Reads to me like the display is set up with touch screen, like the point-of-sale debit card terminals. Press button, it uses pre-programmed URL to connect, gets account number off the smart card, then asks for your pin.... all without touching the PC's keyboard.
The device uses your PC as a network pass through, establishes an encrypted connection with the bank (encryption being done in the device, not your PC) and exchanges data. The PC cound do a man-in-the-middle, but since what it's passing is encrypted that's protected to a decent degree.
Reply to this comment
by Vegaman_Dan October 29, 2008 7:47 AM PDT
It sounds like a great idea, but token keys (and that's what these are) are easily lost/stolen. Then you are without access until you can get a new one and the old one cancelled. Adding multiple layers of difficulty just puts the user that many more steps away from doing anything useful. I think authentication is a great thing, but it shouldn't be on the customer's side or else they will go elsewhere.

At this point, I think I'd rather do something silly like walk into a bank branch in person. Remember those places with the toasters?
Reply to this comment
by Dalkorian October 29, 2008 3:13 PM PDT
Uh, the place with the toasters is called the kitchen. What does that have to do with banking?
;-)
by petermpham2003 October 29, 2008 11:28 AM PDT
what bank it could be used for ? I thought all banks went out of business. This is a much bigger threat than the tiny virus.
Reply to this comment
by JohnRDaniel October 29, 2008 1:04 PM PDT
I'm of two mind on this I think more security is great especially if it involves a cool gadget. But onthe other hand do I really need another thing I can misplace.

As of now it isn't even available. so I'll wait to see if my bank even offers it.
Reply to this comment
by hackingbear October 29, 2008 1:52 PM PDT
Why all this complication? The bank should just need to send you an SMS on any attempt to login and make any withdraw online. The customer can then alert the bank immediately and stop before the money get cleared. Not sure why the banks don't do this in this country.
Reply to this comment
by Dalkorian October 29, 2008 3:15 PM PDT
Why does everyone assume that everyone else also has and adores cell phones?
by skswave October 30, 2008 7:26 AM PDT
It would seem that the world of bank security would be advanced farther and faster If the banks would begin leveraging the Trusted Platform Module that is in over 250 Million PCs and now also shipping as part of intels New chipsets. We as consumers have learned to bond our cars to our garage door our Portable phones to their base stations I am sure we can learn to bond our Laptops to our bank accounts and our email. The embedded security that is part of the PC is vendor Neutral, Very powerfull and will eventually be on every PC built. It is being deployed to secure corporate networks and data we need to demand that the banks support security that is and will be on everyone's PC.

Steven Sprague
Wave Systems Corp.
Reply to this comment
(14 Comments)
  • prev
  • 1
  • next
advertisement

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right