Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Is Secure Browsing around the corner?

by Avivah Litan  |  March 4, 2011  |  3 Comments

Many banks, ecommerce and other firms who have web-accessible information and accounts to protect are waiting for the day when they don’t have to worry about attacks against their customers’ browsers and end points. Man-in-the-browser attacks (e.g. Zeus/SpyEye) are very much alive and well, and causing all kinds of problems amongst many of the companies I speak with.

Secure browsing is one option that could really help. And recently, I’ve been hearing about various innovative engineering feats that could get us there. For example, today I heard that the largest private bank in the world, conveniently located in Switzerland, is about to roll out USB-plug-in transaction signing devices that come with a proprietary locked down browser which communicates with the device’s firmware along with the bank’s server. This browser is also downloadable to a user’s PC and usable without any installation.

Swiss ebanking technology provider, CREALOGIX E-Banking, has been working with its privacy and security zealous banking clients on this technology for many years. There are several variations on this theme coming to market, and already in the market (See our research note “Tompkins Financial Distributes IronKey Locked-Down Secure Computing Devices to Banking Customers”). Interestingly, another Swiss bank, UBS distributed similar USB-pluggable devices from IBM to its corporate customers. And for the first time, we are starting to get earnest client interest in these options, as they wrestle with the man-in-the-browser attacks and need quick solutions for their complex legacy environments.

These devices, and even the software versions of the proprietary browsers, should go a long way towards keeping men out of our browsers.

3 Comments »

Category: Uncategorized     Tags:

3 responses so far ↓

  • 1 Andrew   March 5, 2011 at 4:43 pm

    Unless these devices and software can also ensure that the user’s PC is clean of viruses and perhaps even keyloggers, then it’s going to be a futile attempt at placating the masses without actually offering real security.

    I’d also hope that any such browers would be available on all platforms, and I don’t just mean Windows and Mac.

  • 2 Jerry   March 7, 2011 at 7:50 am

    The scope should not be to “clean” the PC of viruses and other threats. That’s a hopeless task. The purpose should be to provide a transaction platform which is capable of operating securely also on an infected PC (i.e. the secure browser should be resistant against all known attacks). It would be interesting to learn how the various solutions compare on this front.

  • 3 Avivah Litan   March 7, 2011 at 4:35 pm

    Right, these USB platforms circumvent the browser and OS on the PC and assume that the PC is NOT clean of viruses and other threats; hence the need for a closed locked down computing environment.

    We should start comparing the various solutions on this front.