10 years ago, IBM Research used to have a team working on Java Card in Zurich. IBM sold their Java Card activity to NXP, but the team still exists, and it announced last year a strange device, the ZTIC. This is a device for securing banking transactions.
In the example they insist on, they focus on man-in-the-browser attacks, in which an attacker modifies within the browser itself (after successful authentication) the parameters of a money transfer in order to transfer more money, of course to his own account. With the ZTIC device, the user can review the actual amount and approve it (or not). According to the Wikipedia page above, this looks like the right thing to do for such attacks:
One of the most effective methods in combating a MitB attack is through an Out-of-Band (OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call.
But then, the next sentence in Wikipedia is not that optimistic for the ZTIC:
OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices …
So, is this device really useful?
However, as Wikipedia mentions, it is also possible to do without any specific hardware, leveraging for instance your existing landline or cellphone. On top of it, these devices are often more flexible, and can perform more operations.
Let’s consider the IBM device, and see what it does:
- It displays an amount that comes directly from the bank’s server.
- It allows the end-user to accept or refuse the transaction, and transmits directly this response to the bank’s server.
- It does so in an out-of-ban manner. Actually, the end-to-end security is a strong requirement in their case, but mostly because the communication goes through the very PC that may be infected by some malware
The exact same thing can be done in many ways, even with low tech:
- By voice: “You just requested a money transfer of 20,000€ to some Russian bank. Press 1 to confirm, and 2 to cancel”
- By SMS: “You just requested a money transfer of 20,000€ to some Russian bank. Enter 574567 in your browser to confirm the transaction”
I can of course go more high-tech, with a sleek mobile application that handles the incoming SMS and displays it in a fancy way, but still, this is basically the same. In terms of security, is it very different from the ZTIC? Well, no. The communication may not be encrypted, but this has little influence on the global security level. The security measure in an out-of-band confirmation is the very fact that it is out-of-band, using a phone call/SMS directly from the bank’s server, to a number that only the server knows.
The other issue for this device is that it is specialized, and quite limited. In particular, it lacks an input device that would allow it to perform some kind of authentication in addition to the out-of-band countermeasure. That would definitely increase its potential use, but as it is, I don’t really see the advantage for a bank.
Let me conclude in an usually selfish way:
- First, I must admit that I am a bit biased, since I work for a company that sells security middleware for mobile phones. On the other hand, I truly adhere to our “Where open meets secure” motto, which engages us to use the same devices for many things, including security.
- Then, I try to promote Java Card 3.0, and I have noticed that the ZTIC device is supposed to contain a card reader. Well, if this card reader can handle a Java Card 3.0 card and open a SSL transaction to such a card, I am sure that I will be able to find some applications that can make good use of the “secure” display on the ZTIC. Please, just add a few keys so that I can make it a full secure UI, and I will be happy.