RSA token disaster emphasises need for security, not just authentication

Alex Zaharov-Reutt
Thursday, 09 June 2011 15:13

Business IT - Security

With the March RSA hack still ringing in the ears of token users, banks and any organisation that uses tokens for two-factor authentication, the world must finally learn that authentication does not equal security, as cyber criminals use malware to easily hijack authenticated but insecure sessions.

With banks not qualifying for free token replacement by RSA, and banks having to replace them at their own cost, banks, financial institutions and other organisations are clearly not only deeply inspecting their own security practices, but presumably beefing them up as much as possible.

Reports in the media today tell us that Australia's ANZ Bank, along with 'government departments' that are using RSA's tokens will replace them with new ones, with ANZ Bank saying it will replace 50,000 tokens at no cost to its customers.

Hmm'¦ I'd have imagined there'd be more ANZ customers with tokens, but presumably if only 50,000 are being replaced, there are only 50,000 ANZ customers with tokens that are affected.

If there are more ANZ customers with RSA tokens, then ANZ should have said so and offered to replace those tokens, too.

However, despite the fact that ANZ is replacing the tokens, it doesn't acutally believe its customers are under any threat, saying in a statement to the media that: 'ANZ has decided to re-issue new RSA tokens to all customers and staff currently using the technology. While there is no direct threat to ANZ customers, we believe this is the best course of action given recent advice from RSA.'

Hmm'¦ if there is no direct threat, then why bother wasting everyone's time with new tokens? Clearly there is more than meets the eye in this situation.

Also, despite the fact ANZ says it will replace tokens at no cost to its customers, does anyone seriously believe this? Prepare for new fees or some penny-pinching somewhere from the ANZ to pay for it - I mean, why should we expect anything different from a bank? Honestly.

Then, despite ANZ's token replacements, Australia's Westpac and Commonwealth (CBA) Banks say they believe there's no threat to their tokens, so they aren't bothering with replacing them.

Who's right and who's wrong? I wonder what the heck Westpac and CBA will say or do if their customers with RSA tokens end up getting hacked after all?

Perhaps its because RSA won't be replacing tokens for the banks, as the RSA stated itself.

RSA notes that there is 'an offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.'

However, for banks, RSA states there is 'an offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions."

So, new tokens for corporate customers, "risk based strategies" for banks. Perhaps this speaks for itself, in which case the ANZ is to be commended for making the decision to replace the tokens, although presumably the customers will pay for them somehow, somewhere as speculated upon above.

There's also concern that replacing hacked RSA tokens with new tokens from -the same company- might not be the smartest idea, as Sophos' Naked Security blog proclaims. 

Continued on page two, please read on!