If the presence of more than 70,000 variants of the Zeus banking trojan annually is any indication, the gods – especially the Greek “Father of Gods and Men” – must be very angry. Or, more likely, it is just criminal greed run amok. Whichever it is, malware such as Zeus is causing headaches in the financial services industry at record levels. The emergence of commercial-grade crimeware is arguably the number one threat to the financial community, and that threat shows no signs of letting up.
Certainly the folks at IronKey don’t seem surprised. In fact, their Trusted Access for Banking product is just what the doctor ordered to combat the threat. The idea behind the tool is simple: Don’t allow users to access what they are not supposed to access. The guidelines for safe banking issued by the FBI and NACHA – the Electronic Payments Association include using a dedicated computer for banking-only use, malware protection, automatic updates and strong authentication. There are lots of ways to achieve this, but many strategies have been found to be of marginal effectiveness. At the end of the day, though, the admonition not to go where you are not supposed to makes the other measures more effective, and that is exactly what IronKey helps you do.
Trusted Access for Banking is a cloud-based service that is triggered by strong authentication using the IronKey dongle. The service targets commercial users instead of individual consumers. Once the user attaches the dongle, available websites are limited to the list in the IronKey policy. The browsing takes place through the IronKey Trusted Network. This network provides policy management that restricts where the user can go and provides such things as a secure DNS, software updates and detailed event logging.
Using the network is easy. Simply insert the USB IronKey device, and it will launch immediately into online banking. Then the user just performs the tasks that they would normally and disconnects when they are finished. That is all there is to it. The key piece of this, of course, is that the IronKey computer never goes where it is not supposed to.
Is it possible to circumvent the protection? Yes. However, there may be severe penalties if you do, such as being compromised. Those penalties could be quite costly, so there is an incentive to play by the rules. The most logical approach, of course, is to follow the NACHA and FBI guidelines and select one or more computers that can be designated as online banking computers. Those computers would not be used for anything else. There also is an available option that forces the use of IronKey.
The tool is fully encrypted and write-protected to Federal Information Processing Standards (FIPS), so stealing the device is not going to help the bad guys. Optionally, users can add an RSA SecurID for additional authentication. The product encrypts the computer’s keyboard so keyloggers are ineffective. The IronKey session is conducted within a virtual machine, so infections on the host computer don’t affect the online banking sessions, which are isolated.
The IronKey device is movable between computers, and the administrative console requires two-factor authentication. The admin console is simple to use and has lots of functionality. It is about what you’d expect from a first-class product in today’s market: statistics, trending, policy management and more. But there are some unique features as well, such as geolocation for events in the logs and Silver Bullet Services. These services provide assurance that IronKey devices are authorized and in good standing.
The system can be set to allow browsing to a number of selected websites. The IronKey Trusted Access for Banking service can prevent man-in-the-browser, keylogging, screen scraping and man-in-the-middle attacks. These are prevented because users cannot go where they are not supposed to, and browsing is secured through the Trusted Access Network, and online banking is conducted within a virtual machine. For the bad guys using crimeware, that means three strikes. You’re out!
AT A GLANCE
Product: Trusted Access for Banking
Price: Starts at $2,500 (two administrators, three end-users; includes one year of technical support, cloud-based management and Trusted Network service).
What it does: Provides assured, secure online banking connection for commercial banking customers.
What we liked: We like the combination of virtualization, a secured network and controls on allowed destinations – all in one, simple-to-use product. It makes no assumptions about users’ skills. It simply works.
What we didn’t like: Nothing. This is a well-thought-out solution to an ugly problem.