RSA's recent announcement that it's the victim of hackers who have extracted certain information related to its SecurID two-factor authentication tokens, which many banks use to secure their online banking programs, should be a wake up call for banks that rely too heavily on such security tokens, according to Avivah Litan, senior security analyst at Gartner.
"Tokens are like a front door lock, they make it harder to keep amateurs out, but banks need to use a layered security approach that includes robust fraud protection; monitoring of session, user and account behavior; and monitoring of very high-risk transactions," she says. "They should also consider adding manual controls, such as dual authorization on high risk payments."
Banks and other companies give RSA's SecureID tokens to their customers to authenticate online transactions. Typically, the customer enters his user name and password as well as a one-time password generated by the token that expires in 30 to 60 seconds. By entering this extra password, the customer provides some assurance that he is the legitimate user of the account.
Except now, cyber criminals have compromised some portion of RSA's data infrastructure that generates the one-time tokens. "If you look at the RSA token, there are five elements to token authentication and two are controlled by the user," Litan says. "If the hacker got three elements, they still don't have access to the other two elements. So the attack weakens the effectiveness of SecurID, but there's still two extra factors that help."
The attack is not a disaster or crisis for customers, but it is a disaster for RSA, Litan says. "They need to make serious changes to their program, and they probably shouldn't be controlling three of the five elements." She also points out that certain existing security threats such as Zeus Trojans are already capable of circumventing one-time passwords.
However, if customers follow RSA's suggestions, the SecurID token is still stronger than a PIN, Litan says.
The RSA's recommendations to its SecurID customers, included in its latest 8K filing, include these steps:
-Increase security for social media applications and the use of those applications and websites by anyone with access to critical networks.
-Enforce strong password and PIN policies.
-Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
-Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
-Pay special attention to security around active directories, making full use of Security Incident and Event Manager (SIEM) products and implementing two-factor authentication to control access to active directories.
-Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
-Harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
-Examine help desk practices for information leakage that could help an attacker perform a social engineering attack.
-Update security products and the operating systems hosting them with the latest patches.