Banking security on a USB stick

IBM was set to unveil on Wednesday a prototype USB device designed to protect people doing online banking from having their data stolen or compromised.

The device, which looks like a memory stick with an integrated display, creates a secure channel to a bank's online transaction server. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe.

The user can log on and validate transactions using the device's display and a smart card can be inserted into the device, providing an added layer of security to protect transmissions from man-in-the-middle interceptions, IBM said.

The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC.

Developed at IBM's Zurich Research Lab, pilot devices are ready for bank trials. They do not require changes in the bank server software or the client software and they run on all major client operating systems.

IBM Research's Zone Trusted Information Channel is a USB that makes online banking safer.

(Credit: IBM Research)

[JasonTechy]

IBM is a little behind the times Nortel just released theirs last month and Network Intercept released theirs a few months before that!

[amckenz]

Do the banks charge for these devices?

[rdnetto]

Doesn't requiring it to go through the PC make the whole concept of a secure device redundant?

[SJ2571]

That's what I was thinking. If it's connected to a PC, and that PC has a keylogger running... say no more?

[timber2005]

From my understanding... "The device, called a Zone Trusted Information Channel, runs the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol and includes a TLS engine and a networking proxy for running on a PC. " it sounds to me that its not key pressing that is done, but the device somehow securely (and very very very likely) send the encrypted data direct to teh server. No keypressing by the user, no information ented into the form automatically.

[witter22]

The same benefits can be derived for a much lower cost by using Phone based Out of Band Authentication like a service from Authentify.

[CutterJeff]

Well, say some more -
It's not using your keyboard. "user can log on and validate transactions using the device's display"
and " smart card can be inserted "
Reads to me like the display is set up with touch screen, like the point-of-sale debit card terminals. Press button, it uses pre-programmed URL to connect, gets account number off the smart card, then asks for your pin.... all without touching the PC's keyboard.
The device uses your PC as a network pass through, establishes an encrypted connection with the bank (encryption being done in the device, not your PC) and exchanges data. The PC cound do a man-in-the-middle, but since what it's passing is encrypted that's protected to a decent degree.

[Vegaman_Dan]

It sounds like a great idea, but token keys (and that's what these are) are easily lost/stolen. Then you are without access until you can get a new one and the old one cancelled. Adding multiple layers of difficulty just puts the user that many more steps away from doing anything useful. I think authentication is a great thing, but it shouldn't be on the customer's side or else they will go elsewhere.

At this point, I think I'd rather do something silly like walk into a bank branch in person. Remember those places with the toasters?

[Dalkorian]

Uh, the place with the toasters is called the kitchen. What does that have to do with banking?
;-)

[petermpham2003]

what bank it could be used for ? I thought all banks went out of business. This is a much bigger threat than the tiny virus.

[JohnRDaniel]

I'm of two mind on this I think more security is great especially if it involves a cool gadget. But onthe other hand do I really need another thing I can misplace.

As of now it isn't even available. so I'll wait to see if my bank even offers it.

[hackingbear]

Why all this complication? The bank should just need to send you an SMS on any attempt to login and make any withdraw online. The customer can then alert the bank immediately and stop before the money get cleared. Not sure why the banks don't do this in this country.

[Dalkorian]

Why does everyone assume that everyone else also has and adores cell phones?

[skswave]

It would seem that the world of bank security would be advanced farther and faster If the banks would begin leveraging the Trusted Platform Module that is in over 250 Million PCs and now also shipping as part of intels New chipsets. We as consumers have learned to bond our cars to our garage door our Portable phones to their base stations I am sure we can learn to bond our Laptops to our bank accounts and our email. The embedded security that is part of the PC is vendor Neutral, Very powerfull and will eventually be on every PC built. It is being deployed to secure corporate networks and data we need to demand that the banks support security that is and will be on everyone's PC.

Steven Sprague
Wave Systems Corp.