In the vault: The Coastal Bank and IronKey
In the vault: The Coastal Bank and IronKey

[sidebar 1]

Building trust

The Coastal Bank is one of the first institutions in the country to offer Trusted Bookmarks, a new feature of Trusted Access for Banking allowing members to safely access popular websites using a ‘bookmark list' managed by the bank. With Trusted Access, customers know they are accessing an authentic site and their transactions are not being monitored or tampered with by crimeware.

"We are educating our customers through a number of different channels," says Adam Montgomery, director of marketing at The Coastal Bank. These steps include:

  • Advertising and marketing the IronKey product in the markets it serves,
  • A series of "Lunch and Learn" events where the bank invites customer to attend a quick 30-minute seminar during their lunch hour, learn about the product, and sign up for Trusted Access,
  • Direct contact from the bank's cash management and commercial banking team to existing customers, informing them about the current threats against their financial security and how IronKey Trusted Access prevents this type of activity,
  • Information and signage in branches, and on the bank's website,
  • Ongoing discussions with key business leaders in the community,
  • Providing all employees with IronKey and encouraging customers to ask them about the product.

[sidebar 2]

Safeguarding the online banking experience

There are five key technologies underpinning the secure online banking experience: tamper-proof USB device, virtualization, keylogging protection, secured Trusted Network and cloud-based banking policy management.

Read-only operation: In both downloadable software and portable USB device form factors, Trusted Access is stored and operates as a read-only application with tamper-proof settings. In software, this is enforced using an encrypted file system. With a portable device, this is enforced by the device firmware and cryptochip and is designed to FIPS 140-2 Level 3 specifications.

Virtualization: Isolates online banking sessions within a fully virtualized environment. This eliminates dependencies on desktop browser software and plug-ins that are commonly attacked by criminal malware to steal credentials and hijack banking sessions. This is achieved by proprietary software on the IronKey Trusted Access device working in conjunction with the IronKey Trusted Network and Enterprise Management Service.

Keylogging protection: By encrypting keyboard input from the operating system to the virtualized environment, it stops one of the most common attack methods used by criminal malware to steal online banking credentials; this is a feature of Trusted Access on the IronKey.

Secured Trusted Network: All network access uses a separate, encrypted tunnel that connects with IronKey secured data center operations. This stops DNS poisoning and host tampering attacks, targeted URL malware activation, and man-in-the-middle attacks. This capability is shared between the IronKey end-user or admin device and the IronKey Enterprise Management Service.

Cloud-based safe banking policy management: Institutions establish their own safe banking policies including establishing website start page and URL whitelists to eliminate users visiting non-banking sites (or only those Bookmarked sites approved by the bank); banks use the cloud-based IronKey Enterprise Management Service to set policies and manage devices.

Source: IronKey

For reprints of this case study, contact Elton Wong at or 646-638-6101.