IronKey is to offer the secure online banking browser that comes with its hardware USB tokens as a standalone application or the first time, the company has announced.
The new downloadable app offers a cheaper, simpler way for banks to deploy a secure client to online bank customers who then use it to set up an encrypted connection to the institution through IronKey’s cloud-based Trusted Network service.
At the moment, the browser requires users or institutions to purchase a secure USB drive, launching the app from that device alone. This adds cost and forces users to use the same drive for every access so the app removes this limitation.
In tandem with this, IronKey has also extended the analytics system available to banks that sign up to its Trusted Network, allowing them to get a sense of how and when users are accessing their bank accounts.
This will in time be extended to the sort real-time analysis of transaction patterns that could detect fraud. IronKey said, including the possibility of suspending rogue sessions. An out-of-band smartphone application is also on the cards.
“More and more banks are looking to compete with security,” said IronKey director of product marketing, Kevin Bocek, who noted that few had the infrastructure to run all their own services. Increasingly they were turning to managed security layers such as that offered by IronKey.
“It’s all in the cloud. That’s important,” he added.
Services such as IronKey’s Trusted Network could spell the end for today’s insecure model where bank users simply connect to their institutions by firing up a browser and connecting to a web gateway.
The new design being pioneered by IronKey and a handful of others inserts what is effectively an authentication bridge between the customer and the bank, which talk to one another through a secure channel. This means that the user never has a direct link to the institution and is always traversing the IronKey domain to get to the bank.
A key attraction is that IronKey is looking to offer all the layers as one service and set of technologies, overcoming the need today to build security using products from different companies, the company has argued..
However, attackers are already getting ahead of cloud-based security systems, at least conceptually. A good example of this would the cracks that have appeared in the security of domain certificates with the attacks on RSA and, more recently, DigiNotar.
Authentication at domain level is critical – without it there is no means of knowing that the security layer through which banking customers connect is what it says it is.
The company has yet to announce any major online banking customers in Europe but said it was at the discussion stage with a number of institutions.