terça-feira, 20 de julho de 2010

IBM: Segurança para Internet Banking

Disk failure


A IBM lançou um dispositivo de segurança que promete proteger as transações feitas por internet banking.
A tecnologia, denominada Zone Trusted Information Channel (ZTIC), consiste em um aparelho que se conecta à porta USB e usa o padrão X.509 de criptografia, a fim de criar um canal de segurança com os servidores dos bancos - todos os dados entre o micro e o internet banking são codificados e enviados por meio do ZTIC.
O aparelho é plugado ao computador e permite que os usuários verifiquem suas contas e autorizem qualquer transação requisitada ao selecionar a opção “sim”. Caso contrário, a ação será bloqueada. O uso do ZTIC, assegura IBM, não se sobrepõe às aplicações desenvolvidas pelos próprios bancos, apenas aumenta o rigor do sistema de segurança em momentos críticos, como quando transferências de fundos são requisitadas.
O que a IBM quer é mudar o modo como os criminosos virtuais facilmente exploram a máquina do usuário a partir de vírus e cavalos-de-Tróia, realizando transferências fraudulentas para suas próprias contas bancárias, segundo informa o IDG Now!.
Depois de autorizar determinada operação, as próximas transferências para essa conta não terão de ser verificadas.
"O ZTIC é basicamente um intermediário entre o usuário de um lado, e a aplicação de internet banking do outro. O servidor irá interagir com o ZTIC, e este pedirá ao cliente que confirme a operação” afirma Doug Dykeman, gerente do grupo de pesquisa responsável pelo projeto.
O banco suíço UBS será o primeiro a usar o sistema, o que dá início ao plano da IBM de tornar o ZTIC disponível globalmente. De acordo com a empresa, a tecnologia poderá ser usada em outros meios além do internet banking.



A banking server's display on your key chain










More and more attacks to online banking applications target the user's home PC, changing what is displayed to the user, while logging and altering key strokes. Therefore, third parties such as MELANI conclude that"Two-factor authentication systems [...] do not afford protection against such attacks and must be viewed as insecure once the computer of the customer has been infected with malware".
In a widely published real-world example of the Trojan "Silent banker", Symantec states that"The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead."
In order to foil these threats, IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter these attacks in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC's software for all security functionality.
The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a "pass-through" proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC (seeusage and technical operation animations, which illustrate how the ZTIC works).
In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.
Comparison
Various alternatives exist for protecting users against state-of-the-art attacks to online authentication, such as chip card technology or special browser software. The core difference between the ZTIC and these alternatives is that the ZTIC does not rely whatsoever on any software running on the PC, such as device drivers or user interface elements (e.g., any screen elements), as these can be subverted, e.g., painted over, by attackers' malware. Another feasible solution to this problem is to use the user's mobile phone/SMS as a channel to convey transaction confirmation details between server and user ("mTAN"). Until mobile phone malware appears similarly often as on home computers, such solutions are comparable to the ZTIC with regard to the degree of security they provide. Hence, at this time, the primary differences between ZTIC and mTAN solutions are economic in nature (each and every mTan incurs the cost of an SMS, whereas the ZTIC, once it has been issued, does not incur any further incremental costs per transaction), privacy-related (banking transaction information sent over GSM networks) and in the area of usability (the user has to manually copy mTANs from the phone into the browser). Only completely disconnected card readers with their own user input/output capabilities (e.g., PINpad and display) provide a similar level of security as ZTIC, albeit at the cost of more user involvement at every transaction, i.e., a degradation of convenience.
Background information
This website is intended only to provide a high-level introduction to the concept of the ZTIC. For more details, the reader is referred to either of the two publications below. In addition, we are happy to answer any pertinent emails sent to ztic@zurich.ibm.com.

Nenhum comentário:

Postar um comentário

Observação: somente um membro deste blog pode postar um comentário.