IBM develops ZTIC USB stick for secure online banking
By Joseph L. Flatley 
posted Mar 4th 2009 11:34AM
posted Mar 4th 2009 11:34AM
Among the goodies making their debut at CeBIT this week, ZTIC (Zone Trusted Information Channel) is a USB stick designed for secure online banking, even on your horribly malware-infected machine. Developed in Zurich by IBM, this guy opens an SSL connection with the bank's servers, keeping the data safely on its side of things (this guy has no storage of its own) and displaying the transaction on the hardware itself. Even if your connection is breached by a "man-in-the-middle" attack, the hacker's funny business will be exposed on the device's display, which comes equipped with a big red "panic" button -- just in case. Pricing and availability for banking institutions has yet to be determined, but we do have a boss video for you after the break.
[Via PC World]
[Via PC World]
I read about this just yesterday. They even disclaimer that it won't stop a man in the middle attack, just show you any injected info. By that point however, the mitm would already have your pass and login, so it might be a moot point. That said, this is still a massive step forward in transaction security, if only because it makes it easy to be more secure!
There is NO device that can stop a man in the middle attack.
@ Flashpoint
How about a gun? That's certainly a device and I'm pretty sure someone would stop jacking your bank account if you pointed it at them.
Thus, your statement is FALSE.
“one time pad” encryption would make man in the middle attack imposable. Both the password and data would have to use this method.
With the size of USB key’s and HD’s I don’t see why this method is not used. Seeing how bank transactions are under 10KB in size and larger USB keys in the 16GB range... that’s 1.6 million transactions.
@Flashpoint: Why not? I'm presuming this device is preprogrammed with the bank's SSL key/cert. So if anything intercepts a request from this device, they shouldn't be able to respond in a manner that would match the certificate.
The police could stop a man in the middle attack.
My PC has a big panic failsafe too. Its called ripping out the power cord.
Hopefully there wont be tanks of liquid nitrogen around when the emergency happens, but I'm invincible so it won't matter.
What would happen if there was liquid nitrogen about...
You would be chilly?
Perhaps you mean nitroglycerin?
@Oli D
...The cradle collapses, crushing Trevelyan and rupturing liquid nitrogen tanks that freeze Grishenko...
http://en.wikipedia.org/wiki/Goldeneye#Plot
I had forgotten all about goldeneye...
Freak dude, this is awesome.
tight!
You'd think they would have but the yes/no buttons further apart...hate to accidentally hit the yes button on the $20,000 transfer....
More bankers should have these for transfering their bailout money.
Make it more secure.
no No NO! My money in the Cayman Islands just dissappeared!
And still we have a 4 numeric keys password (aka pin) for credit card.
...not even. In Canada, most credit cards are just swipe 'n sign. And you rarely find a cashier who will actually look at your signature.
This is a cool idea but seems a bit pointless. Now, what if you made a gadget like this that hung off a phone (better still build it into the phone) and every time you made a credit card transaction [or someone else does with your card], it gets contacted independently [and instantly] by the credit card provider, shows you the details and a yes/no right there? If your phone's off, they return a 'not yet authorised but try again tomorrow' status. Credit card fraud = dead. (Ok, unless somebody physically steals both your card and your phone...)
then once there's a standard device/protocol like that it can be used by all sorts of institutions including banks to confirm transactions.
i have two bank accounts, one of them's threatening to send me some kind of gadget (not like this one just a basic secure-id thing I assume). probably later the other one will too. then maybe my credit card will eventually get one... that's just crazy, they need to come up with a standard for this stuff.
I prefer SMS codes to secure my transactions - http://www.mbank.pl/en/guide/safety/sms_codes.html
sending sms codes in the open without standard encryption tools isn't exactly a very convincing case. Sadly a few banks have started using "sms codes" without success. OTP solutions are simpler and better. PKI solutions are a highly recommended.
Not sure I follow this *stick* (ZTIC in german) device, if it has a secure dedicated line to the bank server how come is transaction was still changed CHF 20,000.00 by an hacker???
Because he didn't enter the transaction details on the ztic, but on his (compromised) computer. But with the ztic he can review and in case of fraud cancel the transaction. :)
jojo
If IBM markets a mp3 this cute, I'll buy one.
This has existed under the name of HBCI in Germany for at least 10 years; using smartcards as security tokens. Strange that this should be marketed as an innovation.
HBCI has different security classes, the one with the LCD display to confirm the transaction is "class 3". Unfortunately class 3 readers are very expensive (about 100 €), so most people use either class 1 (rather insecure because the smartcard PIN is entered through the PC keyboard) or class 2 (PIN entry on card reader keypad but no LCD display).
In the end, the decisive question will be whether IBM will manage to make this product cheaper, that is 20 € max. Otherwise this product will fail as much as class 3 HBCI did.
Ah, and if they want a large, instant customer base in Germany they should make the device so that the existing HBCI cards can be inserted into it.