It’s big news, not to mention a major embarrassment, when a leader in data security itself becomes a victim of a serious breach. That was the case for RSA, which stores the tokens widely used by financial institutions as a second factor of authentication for online-payment transactions.
In the breach—announced March 17 in an 8-K filing with the U.S. Securities and Exchange Commission and an open letter from Art Coviello, RSA’s executive chairman—the hackers extracted information “specifically related to RSA’s SecurID two-factor authentication products,” according to EMC Corp., RSA’s parent company.
While the exact dimensions of the breach, and any damage done, won’t be known for some time, the high-profile incident serves as a reminder to the payments industry of the vulnerability of two-factor authentication, security experts tell Digital Transactions News.
RSA says it is “confident that the information extracted does not enable a successful direct attack on any of our RSA SecureID customers,” but that the information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
RSA isn’t the only security firm to suffer a compromise in the past few days. Comodo SSL Certification Authority was the victim of an attack in which a hacking entity reportedly obtained an SSL certification for a domain it did not manage or own.
RSA’s vague explanation of what was stolen during the breach left many unanswered questions. But the security industry is assuming the worst: that hackers gained access to the algorithm used to generate the one-time password for the token, says Nicholas J. Percoco, senior vice president and head of SpiderLabs for Chicago-based security firm Trustwave.
“That’s where the two-factor authentication mechanism breaks down,” he says. “If I’m able to predict your token’s number sequences … I can possibly log in to your account without having the physical token present.”
But even if the hackers have the algorithms, they still need more information to gain access to users’ accounts, says Avivah Litan, senior security analyst at Gartner Research.
“There are about five elements that go into a SecurID authentication, and three of them were under RSA control,” Litan says. “Two of them are under the user’s control.”
One way to get the information would be for hackers to break into a bank’s RSA authentication manager, Litan says, adding “that would be very hard to do because it’s double encrypted.”
Or hackers would have to identify a specific institution that uses SecureID for authentication, and then get the individual serial numbers from the backs of the tokens, Percoco says. The hackers also would need to know the individual user’s PIN.
However, hackers could obtain such information from the users through social- engineering types of fraud such as phishing in which consumers are duped into giving out sensitive information online, Percoco says.
While the breach at RSA is a cause for concern, financial institutions can minimize the risks by following RSA recommendations to closely monitor server logs for unusual activity and to monitor social networks to ensure employees don’t call attention to their privileged access, if any, security experts say. RSA recommendation also included enforcing strong password and PIN policies and reminding employees to avoid suspicious e-mails and verify a person’s identity and authority before providing user names or other credentials to anyone.
Banks also should take a layered approach to data security, including out-of-band user transaction verification for high-risk transactions—using a different communication channel, such as mobile phones, to verify a transaction request, Litan says.
“It’s the easiest and most effective thing banks can do,” she says. “Before a customer is allowed to move money, send a message to their cell phone or call them on their landline with a one-time password tied to that transaction.”
The RSA breach should serve as a “wake-up call” about the vulnerabilities of two-factor authentication, Litan says. She notes that hackers have been able to circumvent two-factor authentication methods that rely on browser communications for several years. For example, some crooks have used malware to copy a user’s ID, password, and one-time password token and then immediately use them.
As for RSA, Litan says she expects the company will likely change its program. “In the long run, RSA will probably change the architecture so they don’t control three of the five factors,” she says. “That won’t make OTP (one-time password) more effective overall, but it will remove RSA from being a central point of vulnerability.”