IronKey launches secure online banking USB stick
IronKey has launched its Trusted Access for Banking USB stick at InfoSec 2010 in London. The IronKey TAB uses an isolated virtual machine launched from the stick and a intermediate server accessed through a VPN like connection to create a secure channel from the user to IronKey's servers, and from there to the bank's web servers.
The solution is aimed at commercial banks and their customers who have found that malware using keyloggers on host PCs have made techniques such as two factor authentication vulnerable. IronKey say that already, in some cases, key-logging malware is monitored live for user access; the entry of security tokens can be listened in on and replicated while the token is still valid. The IronKey TAB runs a Linux based operating system which in turn runs a dedicated Firefox based browser. It takes a number of steps to prevent key-loggers from intercepting passwords and has an optional virtual keyboard for non-keyboard password entry. It also makes use of the IronKey's integrated RSA SecurID to provide login tokens, but adds an extra, variable obfuscation to ensure that any malware spies will see an invalid token.
In some ways, the IronKey TAB is similar in intent to the process of booting a Live CD of Linux and performing banking from the read only Live CD environment, but without the need to reboot the host system and activated only when the stick is plugged in and the stick itself is not compromised. IronKey goes further than a dedicated machine or LiveCD solution by taking control of the connection to the banks servers, using a VPN like wrapper for network traffic and handling DNS requests through IronKey's server, to avoid man in the middle or DNS manipulation based attacks. The bank can configure the device to only allow access to its own websites and those of trusted partners. The server can also block access based on IP addresses, time of day or location, a capability based on IronKey's secure USB flash drive offerings. The system also offers remote kill or lock-out capabilities to disable lost or stolen sticks.
Unlike other IronKey products, the user has no write access to the TAB stick, but it can be updated remotely by the server. It also only runs on Windows based systems. At InfoSec, The H saw the system demonstrated running, suppressing API level key-loggers and being remotely managed from the server's administration dashboard. According to David Tripier, IronKey's chief marketing officer, IronKey is offering Trusted Access for Banking at around $250 per seat, a price that is somewhat more than the secure tokens that some banks offer their customers, but this pricing includes the server infrastructure. The higher cost though is placed in context by Tripier who points out the FBI estimates that in the US, Automated Clearing House fraud was costing up to one and a half million dollars a week.