IBM Zone Trusted Information Channel (ZTIC) — ‘a banking server’s display on your keychain’.
IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter [malware attacks on online banking] in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC’s software for all security functionality.
The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a “pass-through” proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank’s Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC […].
In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the “OK” button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.
This seems like quite a nice implementation, I think.
However, key management will be problematic. Each server’s public key will need to be stored on the ZTIC, and not be writable/modifiable by the possibly-infected PC, otherwise the “bad guys” could simply insert a cert for a malware proxy server on the PC and perform a man-in-the-middle attack on the TLS session. But for that to be viable, the SSL certs need to change very infrequently, or some new secure procedure to update the certs from a “safe” machine needs to be put in place. Tricky….