Crypto dongles to secure online transactions

David G. Koontz david_koontz at xtra.co.nz
Mon Nov 9 23:15:30 EST 2009


Jerry Leichter wrote:
> On Nov 8, 2009, at 2:07 AM, John Levine wrote:
> 
>> At a meeting a few weeks ago I was talking to a guy from BITS, the
>> e-commerce part of the Financial Services Roundtable, about the way
>> that malware infected PCs break all banks' fancy multi-password logins
>> since no matter how complex the login process, a botted PC can wait
>> until you login, then send fake transactions during your legitimate
>> session.  This is apparently a big problem in Europe.
>>
>> I told him about an approach to use a security dongle that puts the
>> display and confirmation outside the range of the malware, and
>> although I thought it was fairly obvious, he'd apparently never heard
>> it before.
> Wow.  *That's* scary.
> 


http://www.zurich.ibm.com/ztic/
IBM Zone Trusted Information Channel (ZTIC)
A multi line display and two buttons (approve/disapprove)

http://www.zurich.ibm.com/pdf/csc/ZTIC-Trust-2008-final.pdf

More and more attacks to online banking applications target the user's home
PC, changing what is displayed to the user, while logging and altering key
strokes.

 ...

In order to foil these threats, IBM has introduced the Zone Trusted
Information Channel (ZTIC), a hardware device that can counter these attacks
in an easy-to-use way. The ZTIC is a USB-attached device containing a
display and minimal I/O capabilities that runs the full TLS/SSL protocol,
thus entirely bypassing the PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device
(thus requiring no driver installation) and starting a "pass-through" proxy
configured to connect with pre-configured (banking) Websites. After starting
the ZTIC proxy, the user opens a Web browser to establish a connection with
the bank's Website via the ZTIC. From that moment on, all data transmitted
between browser and server pass through the ZTIC; the SSL session is
protected by keys maintained only on the ZTIC and, hence, is inaccessible to
malware on the PC (see usage and technical operation animations, which
illustrate how the ZTIC works).

 ...

 --

There's a video clip. http://www.youtube.com/watch?v=mPZrkeHMDJ8 (HD and low
res)

It puts the onus on the user for approval of malware driven transactions.

http://www.zurich.ibm.com/ztic/operation.html
(animated illustration)

Our Land Transport New Zealand agency (www.ltsa.govt.nz, like the DMV) uses
POLi for making on line transactions.  Apparently POLi uses the very same
techniques to provide transaction confirmation to a third party, as are used
by malware to interject data into transactions or steal information.

There should be no reason a ZTIC like device couldn't be used to provide
authentication to a third party as well, the idea being your car license
renewal etc. transaction isn't confirmed until the bank completes the
payment transaction.

Browsers compartmentalizing connections in the equivalent of sandboxes like
as done by Chrome would while defending against malware attacks make POLi
impossible without something like ZTIC.  POLi currently has other
dependencies on Windows.  It strikes me as insecure today, using the same
features exploited by malware.

http://www.centricom.com/  (POLi, centricom used to do routers and the like)
The POLi service now operates in three countries around the world:
Australia, New Zealand and the UK.

You'd think the solution would be cost sensitive.

Internet banking is big here too.  As is phone banking and cell phone
message based transactions.  You have to subscribe (thankfully).  We get our
share of fake ATM fronts and the like.





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list