Many banks, ecommerce and other firms who have web-accessible information and accounts to protect are waiting for the day when they don’t have to worry about attacks against their customers’ browsers and end points. Man-in-the-browser attacks (e.g. Zeus/SpyEye) are very much alive and well, and causing all kinds of problems amongst many of the companies I speak with.
Secure browsing is one option that could really help. And recently, I’ve been hearing about various innovative engineering feats that could get us there. For example, today I heard that the largest private bank in the world, conveniently located in Switzerland, is about to roll out USB-plug-in transaction signing devices that come with a proprietary locked down browser which communicates with the device’s firmware along with the bank’s server. This browser is also downloadable to a user’s PC and usable without any installation.
Swiss ebanking technology provider, CREALOGIX E-Banking, has been working with its privacy and security zealous banking clients on this technology for many years. There are several variations on this theme coming to market, and already in the market (See our research note “Tompkins Financial Distributes IronKey Locked-Down Secure Computing Devices to Banking Customers”). Interestingly, another Swiss bank, UBS distributed similar USB-pluggable devices from IBM to its corporate customers. And for the first time, we are starting to get earnest client interest in these options, as they wrestle with the man-in-the-browser attacks and need quick solutions for their complex legacy environments.
These devices, and even the software versions of the proprietary browsers, should go a long way towards keeping men out of our browsers.