To help protect business and retail customers from phishing and hacking attacks as they bank online, Swiss bank UBS has begun making IBM's Zone Trusted Information Channel hardware device available to these customers. UBS is providing the solution free to frequent online banking users and selling it to the rest for about $62 (65 Swiss francs). HSBC/Trusteer and Ironkey have also rolled out somewhat similar anti-fraud technology for online banking this week.
UBS has posted a video tutorial for its new access key on YouTube:
This product is a USB-attached device containing a display that runs the TLS/SSL protocol, bypassing the PC's security software. It registers itself as a USB mass storage device and starts a "pass-through" proxy to connect with the UBS online banking site. After starting the ZTIC proxy, the user opens a web browser to establish a connection with the bank's website via the ZTIC. From that moment on, all data transmitted between browser and server passes through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, according to IBM, is inaccessible to malware on the PC.
Transaction information, such as account numbers, is automatically detected in the data stream between browser and ZTIC. This information is then displayed on the ZTIC for user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue.
IBM developed the base technology internally based on the observation of rising threats to the online banking channel. UBS then provided further input to integrate it with UBS' back-end security infrastructure and the existing UBS online banking system.