UBS to Deploy IBM Secure Banking USB Device

Banking giant UBS has started deploying a device from IBM that ensures online banking transactions aren't being interfered with by hackers.

IBM's ZTIC (Zone Trusted Information Channel) is a smart-card reader that attaches to computer via a USB cable. During an online banking transaction, it bypasses the Web browser and makes a direct SSL (Secure Sockets Layer) connection with the bank.

With that access, the ZTIC is able to show a banking customer what will actually happen during a transaction even if the computer is infected with malicious software.

The ZTIC is designed to thwart man-in-the-middle attacks, where a hacker interferes with a transaction in real time and modifies data.

For example, it can allow a hacker to transfer $9,000 to a third-party account while showing the victim the amount they intended to transfer to the correct account.

UBS published a video of their implementation of the ZTIC, which the bank has dubbed the "UBS Access Key." Once connected, a customer inserts an access card into the ZTIC and enters a PIN (Personal Identification Number) on the UBS Web site. When the customer has filled out a beneficiary for payment, the ZTIC will display the target account number on its screen.

If the transaction has been hacked and the account number is different, the customer can abort the payment by hitting a red "x," or a green check if it's fine.

UBS chose the ZTIC for use primarily with corporate customers setting up new payment beneficiaries in their online banking system, according to a bank spokesman. Those corporate customers will get the ZTIC for free, UBS said.

It is also available to retail customers but they will have to pay 65 Swiss francs (US$60). UBS has about 100,000 corporate and 550,000 retail e-banking clients.

The technology that is in the ZTIC has been around for a while, but IBM is the first company to get a major bank to deploy it, which is significant, said Avivah Litan, a vice president at Gartner.

As criminals have found ways to defeat strong authentication methods such as one-time passwords, "locked-down" computing -- which aims to seal off banking sessions from malware interference -- is gaining traction, she said.

"The concept and architecture makes a lot of sense, if it [ZTIC] works as advertised," Litan said. "I'm sure some vulnerabilities will become apparent as the ZTIC technology is rolled out, but these will be much more limited by nature of the architecture than the ones that are present in the desktop computing environment."

Subscribe to the Security Watch Newsletter

Comments