Is this the future of online banking? US company IronKey has come up with a USB drive that can be used to access accounts virtually without involving the operating system or applications that cause so many of today's security problems.
Aimed at companies that want to protect corporate bank accounts, Trusted Access for Banking is actually a standard IronKey USB drive that runs a walled or ‘hardened' Linux virtual environment inside the PC's OS. It comes complete with its own browser hardwired to access only a particular bank service, and incorporates RSA Secure ID tokens for authentication.
According to IronKey's Dave Jevans, the PCs used for corporate bank access were now considered so insecure that companies were being lumbered with impractical remedies such as having to dedicate a specific PC to be used only for bank access.
Using IronKey Trusted Access, companies could simply plug the drive into any PC, and without the need for any additional drivers or software, after which the host PC was given a precautionary scan for malware, including specialised banking Trojans such as Zeus.
"It doesn't make a lot of sense for every employee to have a separate PC," said Jevans. The built-in browser was also only able to visit the bank's site, he emphasised.
The virtualised environment run from the drive could resist ‘main-in-the-browser' attacks, session hijacking, and accessed the bank via a hosted service network run either by IronKey or from a dedicated server. For extra protection, the IronKey drive was also bootable.
Disadvantages? Apart from the extra cost involved in handing out drives and managing them as part of a subscription, it does mean that an account can only be managed in this way. No drive, no access. The drive itself obviously becomes a valuable object.
It's also the case that the tight integration with the bank's website can only work if that bank has handed out the drive, which means that the uptake of the technology will depend on how quickly it is sold through that rather conservative channel. Expect to see it used for corporate banking access, but not for consumers more generally for whom it would be too expensive.
The virtualised technology is seen as the new ‘frontier of the VPN', however, and it here that business users might encounter it first. A number of vendors are already looking at virtualised VPN access from USB sticks. The benefit for companies is that it is a secure way for staff to use home PCs for corporate business without having to be given laptops.
IronKey has been testing Trusted Access with banks, some large companies and government. The UK is said to be an important market, so this is no mere stateside fashion.
Jevans is aware that if such technology becomes more common, criminals will start aiming at it, probably by trying to load convincing but bogus virtual environments of their own. Virtualisation in bank access strikes back against criminality but it holds within it the seeds of new dangers.
"We have started looking at how they [criminals] will start trying to attack this product," he admitted.