IBM researchers have come up with a small device they like to call “security on a stick” for use in online banking so customers plugging into any computer can protect transactions and find out if Trojan malware is trying to steal funds.
Created in IBM’s Zurich Research Lab, the “security on a stick” is still a prototype and being tested in a few trials in Europe, says Michael Baentsch, a senior researcher there. IBM, which unveiled the device today, officially calls it the “Zone Trusted Information Channel” because the little USB-based device works to set up a secure channel to an online banking site supporting it.
When the device is plugged into any computer, it creates an TLS/SSL-based channel to a banking server. But beyond that, it also acts as a proxy program that lets the user connect over the Internet to the bank’s server, and makes visible to the user exactly what is transmitted over this channel to the bank.
“It doesn’t prevent a man-in-the-middle attack on the PC, but it makes them visible,” Baentsch says. So after logging on, if a banking customer intended to complete a certain transaction but saw that inexplicably there was different information about to be transferred — perhaps through a trick of a Trojan on the machine — that action could be stopped.
“The user can say ‘no,’ this isn’t what I intended,” Baentsch says.