IBM Zurich Research Laboratory Internet Transaction Security on Your Key Chain

David G. Koontz david_koontz at
Wed Nov 5 15:08:25 EST 2008

 IBM Zone Trusted Information Channel (ZTIC)

A banking server's display on your key chain

More and more attacks to online banking applications target the user's home
PC, changing what is displayed to the user, while logging and altering key
strokes. Therefore, third parties such as MELANI  conclude that "Two-factor
authentication systems [...] do not afford protection against such attacks
and must be viewed as insecure once the computer of the customer has been
infected with malware".


Perhaps worth a read.  Uses a USB device as a browser proxy serving as a man
in the middle monitor for SSL/TLS transactions to banks.    Allows the user
to explicitly authorize release of information in a transaction to prevent
browser based attacks.  See the demo video (another link below).

You'd think it would cure a lot of the issues with performing transactions
on browsers.  Now you get to worry about where your ZTIC is, and whether or
not it's been tinkered with.

There's a YouTube video which can be found here:

A couple of articles:

and IBM's own press release:

You need a Springer Verlag account to download a paper presented on ZTIC at
Trust 2008.  I found the proceedings on scribd by googling for the authors
names from the paper title.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list