Digital signatures insufficient to prevent online bank fraud

As more banks move to get consumers to sign off each online transaction with one-time password, IBM exec says such measures aren't secure if the screen cannot be trusted.

SINGAPORE--With online banking frauds become more common, it is no longer safe to trust what is shown on the users' browser screens or mobile devices. To mitigate this problem, an IBM executive suggests securing the display by making it non-user programmable.

Matthias Kaiserswerth, director and vice president of IBM Research Zurich, said online banking fraud is "ever increasing" and with cybercriminals using increasingly sophisticated techniques such as man-in-the-middle attacks, it is becoming more difficult for customers to "trust their display screens".

The IBMer was in town this week for meetings with the Singapore ETH Centre for Global Environment Sustainability. He told ZDNet Asia that even recent measures by banks to get customers to digitally sign individual online transactions using their security tokens--on top of the two-factor authentication (2FA) process to log into their accounts--was not sufficient to safeguard their banking accounts.

Singapore is one country that is rolling out a National Authentication Framework, which comes with a security token that has transaction signing capabilities to safeguard against man-in-the-middle attacks, as described by Kaiserswerth.

"The issue is that we cannot trust the display on our browsers," he said. "Even if you authenticate a US$100 fund transfer to another person using one-time password, cybercriminals can manipulate the screen and change the transaction details sent to the bank."

This security threat applies to both Internet and mobile banking, he added.

He pointed out that as the industry moves toward a post-PC era in which mobile devices are increasingly used for financial transactions, the current environment for mobile banking is simply not secure enough.

Bringing trust back to screens
It is with this in mind that IBM created a security authentication dongle with a "secure display" which would better address today's online banking threats, Kaiserswerth said.

Called "ztic", the micro-USB device comes with a display screen that is not "user programmable", thus, eliminating man-in-the-middle risks, he said.

The device can also be configured to provide access only to certain servers according to the financial institution's requirements, he added. This way, users can view the details that the bank receives before approving the transaction.

"It is basically a secure extension of the bank's server in the user's hands," he explained.

The ztic device is currently used by several Swiss banks, he said, adding that he was not aware of other similar devices currently available in the market. The technology, though, had been available for three to four years, he noted.

Asked when he expects the device to be more widely used among industry players, Kaiserswerth said it is difficult to predict a timeframe as the financial services sector is "very dynamic". He noted, however, that current 2FA standards were no longer sufficient and it would not be long before banks looked for alternatives to safeguard both their and their customers' financial integrity.

With regard to innovations IBM is currently researching and that could benefit the Asia-Pacific region, he pointed to "Spoken Web" technologies. Big Blue defines these tools that can benefit emerging markets with high mobile penetration rates, but which users are not highly-educated and who may find it difficult to access the Internet in English.

In India, for example, this project would mean allowing matchmaking agencies or parents to post matrimonial ads that could be broadcasted to specific user groups, he explained. Climate-related information could also be sent to farmers in rural areas to better inform them of the environmental conditions in specific seasons, he added.

In a 2008 interview with ZDNet Asia, IBM's India director of research lab also touched on the company's focus on Spoken Web.