My I point to ZTIC as a special kind of token which offers trust elevation?
Kind regards,
Jaap Kuipers
Identity management consultant
Id Network Nederland
M: +31 6-23642513
donderdag 19 januari 2012
14:41
![Beschrijving: Door computer gegenereerde alternatieve tekst: IBM Zone Trusted Information Channel (ZTIC)
A banking servers display on your key chain
More and more attacks to online banking applications target
the use(s home PC, changing what is displayed to the
user, while logging and altering key strokes. Therefore, third
parties such as MELANI conclude that “Two-factor
authentication systems [...] do not afford protection against
such attacks and must be viewed as insecure once the
computer of the customer has been infected with mal ware”L
In a widely published real-world example of the Trojan
“Silent banker, Symantec states that “The ability of this Trojan to perform man-in-the-middle
attacks on valid transactions is what is most worrying. The Trojan can intercept transactions
that require two-factor authentication. lt can then silently change the user-entered destination
bank account details to the attacke?s account details instead. -
In order to foil these threats. IBM has introduced the Zone Trusted Information Channel (Z11C). a
hardware device that can counter these attacks in an easy-to-use way- The ZTIC is a USB
attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL
protocol. thus entirely bypassing the PCs software for all security functionality.
The Z’flC achieves this by registering itself as a USB Mass Storage Device (thus requiring no
driver installation) and starting a “pass-through” proxy configured to connect with pre-configured
(banking) Websites. After starting the ZTIC proxy. the user opens a Web browser to establish a
connection with the banks Website via the Z11C. From that moment on. all data transmitted
between browser and server pass through the Z’llC: the SSL session is protected by keys
maintained only on the ZÏ1C and, hence, is inaccessible to malware on the PC (see usage and
technical operation animations, which illustrate how the Z’flC works).
In addition, all critical transaction information, such as target account numbers, is automatically
detected in the data stream between browser and ZT1C. This critical information is then
displayed on the ZT1C for explicit user confirmation: Only after pressing the “OK” button does
the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction
data into the browser, it can be easily detected by the user at this moment.
Comparison
Various alternatives exist for protecting users against state-of-the-art attacks to
online authentication, such as chip card technology or special browser software.
_j The core difference between the fliC and these alternatives is that the ZTIC does
not rely whatsoever on any software running on the PC. such as device drivers or
user interface elements (e.g.. any screen elements). as these can be subverted.
e.g.. painted over, by attackers malware.
Another feasible solution to this problem is to use the users mobile phone/SMS as a channel to
convey transaction confirmation details between server and user rmTAN9. Until mobile phone
malware appears similarly often as on home computers. such solutions are comparable to the
ZT1C with regard to the degree of security they provide. Hence, at this time, the primary
differences between ZTIC and mTAN solutions are economic in nature (each and every mTan
incurs the cost of an SMS. whereas the ZT1C, once it has been issued, does not incur any
further incremental costs per transaction), privacy-related (banking transaction information sent
over GSM networks) and in the area of usability (the user has to manually copy mTANs ftom the
phone into the browser). Only completely disconnected card readers with their own user
input/output capabilities (e.g.. PINpad and display) provide a similar level of security as fliC,
albeit at the cost of more user involvement at every transaction. i.e., a degradation of
i Figure 1. Information flow of
the ZTIC. The secure
channel is opened between
the (bani(s) server and the
ZTIC. The user
communicates as usual
with the servervia a PC.
S4 Short film: ‘ZTIC explained
in 3 minutes
W Low-resolution
W High-resolution
W fliC in operation by UBS
O More z’ric images
Award
C-) Top 100 Innovations Award
of R&D Magazine
Downloads
List of ZTIC country
certifications](pngimaQgzYAlO.png)
Schermopname gemaakt op: 19-1-2012 14:41
Gemaakt met Microsoft OneNote 2010
Al uw notities en informatie op één plaats