Jerry Leichter wrote: > On Nov 8, 2009, at 2:07 AM, John Levine wrote: > >> At a meeting a few weeks ago I was talking to a guy from BITS, the >> e-commerce part of the Financial Services Roundtable, about the way >> that malware infected PCs break all banks' fancy multi-password logins >> since no matter how complex the login process, a botted PC can wait >> until you login, then send fake transactions during your legitimate >> session. This is apparently a big problem in Europe. >> >> I told him about an approach to use a security dongle that puts the >> display and confirmation outside the range of the malware, and >> although I thought it was fairly obvious, he'd apparently never heard >> it before. > Wow. *That's* scary. >
http://www.zurich.ibm.com/ztic/ IBM Zone Trusted Information Channel (ZTIC) A multi line display and two buttons (approve/disapprove) http://www.zurich.ibm.com/pdf/csc/ZTIC-Trust-2008-final.pdf More and more attacks to online banking applications target the user's home PC, changing what is displayed to the user, while logging and altering key strokes. ... In order to foil these threats, IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter these attacks in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC's software for all security functionality. The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a "pass-through" proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC (see usage and technical operation animations, which illustrate how the ZTIC works). ... -- There's a video clip. http://www.youtube.com/watch?v=mPZrkeHMDJ8 (HD and low res) It puts the onus on the user for approval of malware driven transactions. http://www.zurich.ibm.com/ztic/operation.html (animated illustration) Our Land Transport New Zealand agency (www.ltsa.govt.nz, like the DMV) uses POLi for making on line transactions. Apparently POLi uses the very same techniques to provide transaction confirmation to a third party, as are used by malware to interject data into transactions or steal information. There should be no reason a ZTIC like device couldn't be used to provide authentication to a third party as well, the idea being your car license renewal etc. transaction isn't confirmed until the bank completes the payment transaction. Browsers compartmentalizing connections in the equivalent of sandboxes like as done by Chrome would while defending against malware attacks make POLi impossible without something like ZTIC. POLi currently has other dependencies on Windows. It strikes me as insecure today, using the same features exploited by malware. http://www.centricom.com/ (POLi, centricom used to do routers and the like) The POLi service now operates in three countries around the world: Australia, New Zealand and the UK. You'd think the solution would be cost sensitive. Internet banking is big here too. As is phone banking and cell phone message based transactions. You have to subscribe (thankfully). We get our share of fake ATM fronts and the like. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
