Are Your Security Tokens Really Secure?
By Steve Dispensa, [email protected]
Escalating IT security threats and strengthening regulatory requirements have driven adoption of two-factor authentication among retailers to unprecedented levels. In an effort to stave off increasingly virulent attacks and meet PCI DSS mandates, many retailers have deployed security tokens, like RSA’s SecurID, to secure access to their corporate network and the sensitive customer and payment data it contains.
Security tokens generate a pseudo-random sequence of digits referred to as a One-Time Password (OTP). When a user logs in, they must enter their username and password and the OTP from the token to access network resources and applications. During a recent breach at RSA, maker of SecurID security tokens, attackers stole SecurID token seeds which they later used to bypass SecurID tokens in an attempt to infiltrate some of the most secure networks in the world. With more than 40 million tokens in use today, many enterprises, retailers included, are left wondering about the implications for their organizations. Unfortunately, given the lack of public information from RSA, the answer has not necessarily been clear. Here’s a look at some of the most common misconceptions:
1. Myth: Not all companies with SecurID tokens are at risk.
The black market value of compromised SecurID seeds skyrocketed after their successful use in attacks against Lockheed Martin and others. Attacks against compromised SecurID tokens are not difficult, and can easily be replicated. Companies in every industry are targeted by attackers looking to gain access to credit card numbers, personal information, and even e-mail addresses (Sony, Epsilon, HBGary, Michaels Stores, iTunes, Fox.com).
2. Myth: Not all companies with SecurID tokens need to replace them.
RSA has indicated that all tokens are impacted, yet they only offered to “replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks” and for others, they simply suggest implementing risk-based authentication. If you have SecurID tokens in place today, they are vulnerable and they need to be replaced. Companies should not accept a lower level of protection than they were promised when they bought tokens.
3. Myth: Companies can simply replace existing SecurID tokens.
There’s nothing simple about replacing millions of tokens. RSA has to ship replacement tokens. One has to wonder how RSA will prioritize these shipments and whether they have a sufficient inventory available. Companies have to re-provision each token – unpacking them, assigning each token to a user, sending the token to the user, and educating the user about what’s going on (averaging 15 minutes per token). This is not trivial, particularly for companies with thousands of tokens to deal with and those who have to deploy replacements to customers or subcontractors. And it cannot be done overnight. The process could take months, and given the internal resources required to deploy tokens, the process can be more costly than replacing tokens with an alternate two-factor solution.
4. Myth: Replacing compromised SecurID tokens will restore security to my network.
While replacing SecurID tokens addresses the issue of compromised SecurID seeds from the March breach, it does not address the following:
- Tokens are vulnerable to malware, keylogging, and man-in-the-middle attacks.
- Tokens cannot provide granular authentication of high risk activities, such as transactions or the movement of data.
- Token seeds were stolen once, and they can be again.
5. Myth: RSA has been forthright about the risks to customers.
It’s no surprise that RSA is trying to downplay the risk to their clients. However, the breach at RSA was executed over 60 days before RSA admitted that SecurID tokens might need to be replaced and they only did so after high-profile attacks at defense contractors hit the news.
Shoring Up Authentication Practices
Using security tokens is like bringing a knife to a gun fight. The nature of the battle has changed. Malware and man-in-the-middle attacks easily defeat all one-time-passcode methods, including software and hardware tokens. More than 50 percent of malware goes undetected by anti-virus software. Trojans, worms, rootkits, and their countless variants have infiltrated an astounding number of computers with malware increasingly designed to subvert a computer’s operating system, making it extremely powerful and difficult for anti-virus software to detect and remove.
Given the prevalence of malware, one must always assume that the end point device (or an OTP entered into the end point device) is compromised. As a result, organizations are increasingly moving to out-of-band methods which authenticate logins and transactions through a separate communications channel, e.g. the telephone network. Out-of-band phone-based authentication methods are increasing in popularity and are seen as a leading token replacement option.
Analysts predict a continued decline in the use of hardware tokens for authentication and an increased reliance on phone-based methods. Gartner, Inc. expects that by year-end 2013, fewer than 10% of all authentication events will involve discrete, specialized authentication hardware of any kind (Predicts 2011: Identity and Access Management Continues Its Evolution Toward a Strategic Discipline, November 23, 2010 by Ant Allan, Earl Perkins, and Ray Wagner). The research notes that “by adopting alternative authentication methods, enterprises will be able to meet their needs for improved security at a lower cost and with a better user experience.”
In addition to the security benefits of out-of-band authentication, phone-based methods are significantly easier for end users and IT departments. By leveraging an existing device, phone-based methods can be instantly enabled for employees at retail locations around the globe. There are no devices for IT to provision, ship, replace, or retrieve when an employee leaves the organization. Everyone knows how to use the phone, so user training and ongoing support is minimal.
Retailers that utilize security tokens, many of whom are already frustrated with supporting current token deployments, are being driven to action by the RSA breach. The breach has many re-evaluating their use of security tokens and considering alternatives. As attacks have evolved, the effectiveness of security tokens has been significantly impacted. The RSA breach may just be final nail in the coffin for security tokens.
Steve Dispensa, is chief technology officer at PhoneFactor, a leading provider of multi-factor authentication services. Its platform leverages a device every user has — a phone — to strongly authenticate logins and transactions. He can be reached at [email protected].
Office Depot offers customers a shred of privacy
BOCA RATON, Fla. — The small business customer may have a greater reason to visit Office Depot now that the retailer has expanded its shredding and secure document archiving service program through a new partnership with information management company, Iron Mountain.
The company is offering shredding services at the rate of 99 cents per pound as well as document scanning for a nominal fee, allowing customers to leave the storewith a digital record of their document that was destroyed. Customers with larger volumes of materials for shredding can utilize the shredding drop off service, under which Iron Mountain picks up the items directly from Office Depot for shredding. Furthermore, businesses with larger needs can visit their nearest Office Depot store toschedule the business shredding service and pick up boxes that will hold up to 35 pounds each of materials.
“Shredding has become a personal and business necessity in order to be protected from financial loss, identity theft, and more,” said Kristin Micalizio, VP Office Depot’s Copy & Print Depot. “Whether a customer chooses to visit one of our more than 1,100 stores or have Iron Mountain come directly to their place of business, this new agreement allows us to provide Office Depot customers with a number of safe and secure shredding options.”
Banana Republic says Bonjour Paris
PARIS— Gap Inc. has announced plans to open its first Banana Republic store in France in Paris in early December. Synonymous with culture, quality, heritage and style, the store will be , one of the most popular international shopping destinations in the world.
The 15,952 sq. ft. Paris flagship store will belocated on Avenue des Champs Élysées and will occupy more than two floors.
“Following the success of our London and Milan openings, we are delighted to bring Banana Republic to Paris and take another exciting step in our international growth strategy,” said Stephen Sunnucks, president international for Gap Inc. “With loyal customers across Europe, both in our stores and online, we are confident that Banana Republic’s proposition of affordable luxury will resonate well with Parisian customers.”
According to the company, the store’s architecture is influenced by French heritage and iconic American images. In addition, many of the building’s original details have been incorporated in the store’s design.