Under the Intel Identity Protection Technology (aka IPT) umbrella, there is one component getting some well-deserved attention with the Ivy Bridge platform (3rd Generation Core Technology). It is the Protected Transaction Display (aka PTD). This is especially attractive among Brazilian banks where the fraud rate still high due lack of legislation on cybercrime. Financial institutions have a pragmatic approach and try to adopt technology that will prevent fraud against their online banking customers.
There are two main approaches to get money fraudulently in an online transaction: getting in the middle of transaction, i.e. “man in the middle” (MITM), such as creating a site phishing that gathers user information - even if One Time Password (OTP) generated the user’s tokens in a second factor authentication and executed the desired transaction with the bank in real-time. Hackers also conduct fraudulent bank activity by gaining access to control the user’s machine without it even being noted, referred to as “man in the browser” (MITB).
Until now, protecting users from MITB attacks and guaranteeing a high level of security for online transaction was extremely hard and nearly impossible from merely the operating system level or the banks’ online security features. To protect against this kind of attack, it is required to add a 3rd party component to confirm the authenticity of each transaction.
In order to protect online transactions from both MITM and MITB methods of fraud, a tamper-proof hardware component that is isolated from the OS comes into play. PTD can store a cryptographic key shared in the back-end of the online banking server. This makes it so that sensitive information such as password, account details, confirmation of transactions etc. can be presented to user without the OS being able to read what has been passed; only PTD will be able to decrypt and send to the Intel GPU in a secure way to be rendered.
On May 15th at IDF Brazil, I presented in a session about “Rethinking Information Security” and showed a demo in collaboration with Banco do Brasil, where they made an amazing job, integrating securing the entire flow, since the provisioning up to complete a transaction. As soon as a user of Banco do Brasil’s online banking opens the Banco do Brasil web site, the site can detect that the user’s Ultrabook is IPT capable and suggests that he or she activate this technology in order to improve security and eventually expand online transaction limits. The provisioning process is fairly quick and easy. Once the cryptographic key was generated and sent to the bank, this user can select to confirm the process and identify his or herself through already trusted channels, i.e. ATMs or my mobile phone. Only the first time you access the site will you be required to create this trusted relationship between your personal machine and the online bank. After that, you can conduct all your online banking transactions in the usual manner, but much more securely.
The following picture is what users will see
Note that the page appears somewhat normal; however a hacker that is capturing the screen to gather user entries will not be able to read these protected windows and will see this same screen like this:
This is absolutely bringing another level of security to online transactions and will create a stronger barrier for hackers using such increasingly popular conventional methods to collect users’ information.
I would like to take this opportunity to say thank you to Banco do Brasil’s security team that did an awesome job preparing the demo for IDF Brasil... These guys really rocks!