IBM Zone Trusted Information Channel (ZTIC)

A banking server's display on your key chain

ZTICMore and more attacks to online banking applications target the user's home PC, changing what is displayed to the user, while logging and altering key strokes. Therefore, third parties such as MELANI conclude that "Two-factor authentication systems [...] do not afford protection against such attacks and must be viewed as insecure once the computer of the customer has been infected with malware".

In a widely published real-world example of the Trojan "Silent banker", Symantec states that "The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead."

In order to foil these threats, IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter these attacks in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a "pass-through" proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC (see usage and technical operation animations, which illustrate how the ZTIC works).

In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.

Comparison

Blue ZVarious alternatives exist for protecting users against state-of-the-art attacks to online authentication, such as chip card technology or special browser software. The core difference between the ZTIC and these alternatives is that the ZTIC does not rely whatsoever on any software running on the PC, such as device drivers or user interface elements (e.g., any screen elements), as these can be subverted, e.g., painted over, by attackers' malware.

Another feasible solution to this problem is to use the user's mobile phone/SMS as a channel to convey transaction confirmation details between server and user ("mTAN"). Until mobile phone malware appears similarly often as on home computers, such solutions are comparable to the ZTIC with regard to the degree of security they provide. Hence, at this time, the primary differences between ZTIC and mTAN solutions are economic in nature (each and every mTan incurs the cost of an SMS, whereas the ZTIC, once it has been issued, does not incur any further incremental costs per transaction), privacy-related (banking transaction information sent over GSM networks) and in the area of usability (the user has to manually copy mTANs from the phone into the browser). Only completely disconnected card readers with their own user input/output capabilities (e.g., PINpad and display) provide a similar level of security as ZTIC, albeit at the cost of more user involvement at every transaction, i.e., a degradation of convenience.

Background information

This website is intended only to provide a high-level introduction to the concept of the ZTIC. For more details, the reader is referred to either of the two publications below. In addition, we are happy to answer any pertinent emails sent to ztic@zurich.ibm.com.

Publications

  1. Thomas Weigold, Alain Hiltgen
    Secure Confirmation of Sensitive Transaction Data in Modern Internet Banking Services
    To appear in Proc. WorldCIS 2011, Feb 21-23, 2011, London, UK.
  2. Thomas Weigold, Thorsten Kramp, Reto Hermann, Frank Höring, Peter Buhler, Michael Baentsch
    The Zurich Trusted Information Channel – An Efficient Defence against Man-in-the-Middle and Malicious Software Attacks
    In P. Lipp, A.-R. Sadeghi, and K.-M. Koch (Eds.): TRUST 2008, LNCS 4968, pp. 75–91, 2008.
    © Springer-Verlag Berlin Heidelberg 2008.
  3. Michael Baentsch, Peter Buhler, Reto Hermann, Frank Höring, Thorsten Kramp, Thomas Weigold
    A Banking Server’s Display on your Key Chain
    ERCIM News 73, online edition, April 2008.