ZTICing It To Hackers
Do you get nervous when you shop online? Did you say, “No, thank you” when your bank asked you if you wanted netbanking? Are you worried that there’s someone out there just waiting for you to mess up and release your credit card information online? Well, there is. If IBM has their way, though, they’ll be waiting a long time.
Viruses have come and gone, but no security breach has had the kind of mileage that phishing, and the subsequent identity theft has. You can’t be safe from your own gullibility, so it’s ridiculously easy to fall for a phishing attack. At the same time, though, we can’t really afford to go back to the days of standing in queues at our local bank branches (well, maybe, but do we want to?). Now, IBM’s Zurich lab has come up with a solution to all our woes, and it’s called ZTIC — Zone Trusted Information Channel, and pronounced “stick.” The ZTIC will protect you from a man-in-the-middle attack, where you think you’re talking directly to your bank’s server, but you’re really talking to a hacker’s machine, and that machine is talking to the bank’s server. So you could be requesting a transfer of Rs 2,000, but the hacker can transfer Rs 20,000, and still make it seem to you that everything’s all right.
Here’s how the ZTIC protects you: you ztic it into your USB port, and it starts communicating directly with your bank’s server using a secure connection. Meanwhile, you use your browser for netbanking, just as you would in any other circumstances. While you’re going about your transactions, the ZTIC will show you the amounts that the bank’s servers are receiving, so if there’s a difference between what you see on screen and what the ZTIC shows you, you’ll know that it’s a man-in-the-middle attack, and hit the big red button to kill the transaction. It’s like the SMS you get after you use your credit card, only in real time.
There are, however, many ways that the determined hacker could get past the ZTIC — most obviously, get the ZTIC to talk to his man-in-the-middle server as well. Secondly, the ZTIC doesn’t protect you if you’ve got key-loggers installed on your system, and may even lull you into a false sense of security.
If your bank gives you an RSA SecurID (a little keychain that generates a random number every minute or so), you probably don’t have to worry about needing the ZTIC — in fact, the SecurID can’t be fooled by a man-in-the-middle attack. What we really need our banks to do before anything else is to stop writing bad, IE-specific code. Then bring on the SecurID.