|
 More
and more attacks to online banking applications target the user's
home PC, changing what is displayed to the user, while logging
and altering key strokes. Therefore, third parties such as MELANI
conclude that "Two-factor authentication systems [...]
do not afford protection against such attacks and must be viewed
as insecure once the computer of the customer has been infected
with malware".
In a widely published real-world example of the Trojan "Silent
banker", Symantec states
that "The ability of this Trojan to perform
man-in-the-middle attacks on valid transactions is what is most
worrying. The Trojan can intercept transactions that require
two-factor authentication. It can then silently change the user-entered
destination bank account details to the attacker's account details
instead."
In order to foil these threats, IBM has introduced the Zone
Trusted Information Channel (ZTIC), a hardware device
that can counter these attacks in an easy-to-use way. The ZTIC
is a USB-attached device containing a display and minimal I/O
capabilities that runs the full TLS/SSL protocol, thus entirely
bypassing the PC's software for all security functionality.
The ZTIC achieves this by registering itself as a USB Mass
Storage Device (thus requiring no driver installation) and starting
a "pass-through" proxy
configured to connect with pre-configured (banking) Websites.
After starting the ZTIC proxy, the user opens a Web browser to
establish a connection with the bank's Website
via the ZTIC. From that moment on, all data transmitted between
browser and server pass through the ZTIC;
the SSL session is protected by keys maintained only on the ZTIC
and, hence, is inaccessible to malware on the PC (see usage and
technical operation animations,
which illustrate how the ZTIC works).
In addition, all critical transaction information, such
as target account numbers, is automatically detected in the data
stream between browser and ZTIC. This critical information is
then displayed on the ZTIC for explicit user confirmation: Only
after pressing the "OK" button
does the TLS/SSL connection continue. If any malware
on the PC has inserted incorrect transaction data into the browser,
it can be easily detected by the user at this moment.
Comparison
Various alternatives exist for protecting users against
state-of-the-art attacks to online authentication, such
as chip card technology or special browser software. The core
difference between the ZTIC and these alternatives is that the
ZTIC does not rely whatsoever on any software running on the
PC, such as device drivers or user interface elements,
as these can in principle be subverted, e.g., painted over, by
attackers' malware. Another feasible solution to this problem
is to use the user's mobile phone/SMS as a channel to convey
transaction confirmation details between server and user ("mTAN").
Until more mobile phone malware appears, such solutions are comparable
to the ZTIC with regard to the degree of security they
provide. Hence, at this time, the only differences between ZTIC
and mTAN solutions are economical (each mTan incurs the cost
of an SMS, whereas the ZTIC, once it has been issued, does not
incur any further incremental costs per transaction), privacy-related
(banking transaction information sent over GSM networks) and
potential convenience issues (the user has to manually copy mTANs
from the phone into the browser).
Background information
This website is intended only to
provide a high-level introduction to the concept of the ZTIC.
For more details, the reader is referred to either of the two
publications below. In addition, we are happy to answer
any pertinent emails sent to ztic@zurich.ibm.com.
|
