GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Payment fraud, rising to the challenge

Patti Murphy
The Takoma Group

News

Industry Update

Did hackers gain insight into RSA's methodology?

Comodo compromise draws swift response

PCI SSC dials up call center compliance

Fifth Third seeks innovation through open platform

Trade Association News

Features

Do Tell

Innovations in check scanners

David Peterson
RemoteDepositCapture.com

ISOMetrics:
B2B payment fraud

Integrating your marketing efforts

Selling Prepaid

Prepaid in brief

Momentum builds for maritime cards

Providing prepaid self-serve for global markets

Views

PII and merchant portfolio acquisition

Daniel Federgreen
Analyst

Social redemption at the POS

Paul Rasori
VeriFone Inc.

Education

Street SmartsSM:
Straight talk on professional certification

Bill Pirtle
MPCT Publishing Co.

Leads, leads, leads - Part 3: Lead nurturing

Peggy Bekavac Olson
Strategic Marketing

Coach your way to a stronger organization

Vicki M. Daughdrill
Small Business Resources LLC

Projecting confidence, inspiring trust

Jeff Fortney
Clearant LLC

How to reboot a stalled PCI program

Tim Cranny
Panoptic Security Inc.

A brief on prospecting

Jeffrey Shavitz
Charge Card Systems Inc.

Company Profile

Merchant Implementation Services

New Products

A CRM solution for MLSs

Powerhouse Sales Agent CRM
Powerhouse Payments LLC

Inspiration

Stick with the truth

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Miscellaneous

2011 Calendar of events

Skyscraper Ad

The Green Sheet Online Edition

April 11, 2011  •  Issue 11:04:01

previous next

Did hackers gain insight into RSA's methodology?

RSA, the security division of EMC Corp., reported that its network was hacked and that information relating to its SecurID two-factor authentication product was stolen. RSA's SecurID products are used on PCs, USB devices, phones and key fobs in about 25,000 corporations. They provide a level of security beyond user names and passwords when accessing virtual private networks or other systems containing sensitive information, such as financial data.

In a two-factor authentication process, the traditional user name and password combination is often the first factor. The second factor can be a SecurID token that, in conjunction with back-end software, generates an authentication code every 30 to 60 seconds using a random key or "seed." A user gets into the network by typing this authentication code.

Authentication's effectiveness possibly reduced

In a statement posted on RSA's website, the company's Executive Chairman Art Coviello said, "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

Paul Martaus, President and Chief Executive Officer of payments industry consulting firm Martaus & Associates, said it appeared from the statement that the hackers might have obtained the "blueprints" behind RSA's SecurID product.

"The methodology is what is important here - the algorithm - how RSA goes about generating these keys," he said. "The hackers don't necessarily have access to the keys, and they don't necessarily have the ability to get into RSA's customers' sites, but they may have the blueprint that will allow them to develop the capabilities to do so."

Nicholas Percoco, Senior Vice President and head of Trustwave's SpiderLabs said, "There are many steps that would need to be completed to have a successful attack against an organization using RSA SecurID tokens for authentication."

He added that the attacker would need additional bits of specific information, such as the serial number of the token and the end user's PIN, which theoretically could be obtained through a targeted phishing attack against an RSA customer.

Date of breach a determinant

Regarding the likelihood of a direct attack, Percoco said, "If this breach took place just two weeks ago, then the likelihood is probably rather low at this point. ... If it took place a year ago, then it means the criminals have had access to this data for a whole year and may have been launching attacks to get this type of information from customers of a specific organization."

RSA provided recommendations on its website to customers on how to maintain security on their networks, including enforcing strong password and PIN policies, re-educating employees on avoiding suspicious emails, and reducing the number of employees who have access to administrator accounts.

Percoco noted that, beyond the generic recommendations offered by RSA, each company has to determine its own response to the news of the data breach. "I guess it's a judgment call," he said. "I would venture to guess that unless there is some major vulnerability that has been exposed that we're just not aware of in the system, leaving this authentication mechanism in place until you have more information is probably better than just switching it all to static user names and passwords."

He did point out that other mechanisms can provide two-factor authentication. "Some organizations may say 'We're not going to take the risk,' and they can go down the path of swapping out [RSA's] technology for some other technology," he said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services