Blog post

Is Secure Browsing around the corner?

By Avivah Litan | March 04, 2011 | 3 Comments

Many banks, ecommerce and other firms who have web-accessible information and accounts to protect are waiting for the day when they don’t have to worry about attacks against their customers’ browsers and end points. Man-in-the-browser attacks (e.g. Zeus/SpyEye) are very much alive and well, and causing all kinds of problems amongst many of the companies I speak with.

Secure browsing is one option that could really help. And recently, I’ve been hearing about various innovative engineering feats that could get us there. For example, today I heard that the largest private bank in the world, conveniently located in Switzerland, is about to roll out USB-plug-in transaction signing devices that come with a proprietary locked down browser which communicates with the device’s firmware along with the bank’s server. This browser is also downloadable to a user’s PC and usable without any installation.

Swiss ebanking technology provider, CREALOGIX E-Banking, has been working with its privacy and security zealous banking clients on this technology for many years. There are several variations on this theme coming to market, and already in the market (See our research note “Tompkins Financial Distributes IronKey Locked-Down Secure Computing Devices to Banking Customers”). Interestingly, another Swiss bank, UBS distributed similar USB-pluggable devices from IBM to its corporate customers. And for the first time, we are starting to get earnest client interest in these options, as they wrestle with the man-in-the-browser attacks and need quick solutions for their complex legacy environments.

These devices, and even the software versions of the proprietary browsers, should go a long way towards keeping men out of our browsers.

Comments are closed


  • Andrew says:

    Unless these devices and software can also ensure that the user’s PC is clean of viruses and perhaps even keyloggers, then it’s going to be a futile attempt at placating the masses without actually offering real security.

    I’d also hope that any such browers would be available on all platforms, and I don’t just mean Windows and Mac.

  • Jerry says:

    The scope should not be to “clean” the PC of viruses and other threats. That’s a hopeless task. The purpose should be to provide a transaction platform which is capable of operating securely also on an infected PC (i.e. the secure browser should be resistant against all known attacks). It would be interesting to learn how the various solutions compare on this front.

  • Avivah Litan says:

    Right, these USB platforms circumvent the browser and OS on the PC and assume that the PC is NOT clean of viruses and other threats; hence the need for a closed locked down computing environment.

    We should start comparing the various solutions on this front.