Are Your Security Tokens Really Secure?

By Steve Dispensa, [email protected]



Escalating IT security threats and strengthening regulatory requirements have driven adoption of two-factor authentication among retailers to unprecedented levels. In an effort to stave off increasingly virulent attacks and meet PCI DSS mandates, many retailers have deployed security tokens, like RSA’s SecurID, to secure access to their corporate network and the sensitive customer and payment data it contains.



Security tokens generate a pseudo-random sequence of digits referred to as a One-Time Password (OTP). When a user logs in, they must enter their username and password and the OTP from the token to access network resources and applications. During a recent breach at RSA, maker of SecurID security tokens, attackers stole SecurID token seeds which they later used to bypass SecurID tokens in an attempt to infiltrate some of the most secure networks in the world. With more than 40 million tokens in use today, many enterprises, retailers included, are left wondering about the implications for their organizations. Unfortunately, given the lack of public information from RSA, the answer has not necessarily been clear. Here’s a look at some of the most common misconceptions:



1. Myth: Not all companies with SecurID tokens are at risk.

The black market value of compromised SecurID seeds skyrocketed after their successful use in attacks against Lockheed Martin and others. Attacks against compromised SecurID tokens are not difficult, and can easily be replicated. Companies in every industry are targeted by attackers looking to gain access to credit card numbers, personal information, and even e-mail addresses (Sony, Epsilon, HBGary, Michaels Stores, iTunes, Fox.com).



2. Myth: Not all companies with SecurID tokens need to replace them.

RSA has indicated that all tokens are impacted, yet they only offered to “replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks” and for others, they simply suggest implementing risk-based authentication. If you have SecurID tokens in place today, they are vulnerable and they need to be replaced. Companies should not accept a lower level of protection than they were promised when they bought tokens.



3. Myth: Companies can simply replace existing SecurID tokens.

There’s nothing simple about replacing millions of tokens. RSA has to ship replacement tokens. One has to wonder how RSA will prioritize these shipments and whether they have a sufficient inventory available. Companies have to re-provision each token – unpacking them, assigning each token to a user, sending the token to the user, and educating the user about what’s going on (averaging 15 minutes per token). This is not trivial, particularly for companies with thousands of tokens to deal with and those who have to deploy replacements to customers or subcontractors. And it cannot be done overnight. The process could take months, and given the internal resources required to deploy tokens, the process can be more costly than replacing tokens with an alternate two-factor solution.



4. Myth: Replacing compromised SecurID tokens will restore security to my network.

While replacing SecurID tokens addresses the issue of compromised SecurID seeds from the March breach, it does not address the following:

• Tokens are vulnerable to malware, keylogging, and man-in-the-middle attacks.


• Tokens cannot provide granular authentication of high risk activities, such as transactions or the movement of data.


• Token seeds were stolen once, and they can be again.

5. Myth: RSA has been forthright about the risks to customers.

It’s no surprise that RSA is trying to downplay the risk to their clients. However, the breach at RSA was executed over 60 days before RSA admitted that SecurID tokens might need to be replaced and they only did so after high-profile attacks at defense contractors hit the news.

Shoring Up Authentication Practices

Using security tokens is like bringing a knife to a gun fight. The nature of the battle has changed. Malware and man-in-the-middle attacks easily defeat all one-time-passcode methods, including software and hardware tokens. More than 50 percent of malware goes undetected by anti-virus software. Trojans, worms, rootkits, and their countless variants have infiltrated an astounding number of computers with malware increasingly designed to subvert a computer's operating system, making it extremely powerful and difficult for anti-virus software to detect and remove.



Given the prevalence of malware, one must always assume that the end point device (or an OTP entered into the end point device) is compromised. As a result, organizations are increasingly moving to out-of-band methods which authenticate logins and transactions through a separate communications channel, e.g. the telephone network. Out-of-band phone-based authentication methods are increasing in popularity and are seen as a leading token replacement option.



Analysts predict a continued decline in the use of hardware tokens for authentication and an increased reliance on phone-based methods. Gartner, Inc. expects that by year-end 2013, fewer than 10% of all authentication events will involve discrete, specialized authentication hardware of any kind (Predicts 2011: Identity and Access Management Continues Its Evolution Toward a Strategic Discipline, November 23, 2010 by Ant Allan, Earl Perkins, and Ray Wagner). The research notes that “by adopting alternative authentication methods, enterprises will be able to meet their needs for improved security at a lower cost and with a better user experience.”



In addition to the security benefits of out-of-band authentication, phone-based methods are significantly easier for end users and IT departments. By leveraging an existing device, phone-based methods can be instantly enabled for employees at retail locations around the globe. There are no devices for IT to provision, ship, replace, or retrieve when an employee leaves the organization. Everyone knows how to use the phone, so user training and ongoing support is minimal.



Summary

Retailers that utilize security tokens, many of whom are already frustrated with supporting current token deployments, are being driven to action by the RSA breach. The breach has many re-evaluating their use of security tokens and considering alternatives. As attacks have evolved, the effectiveness of security tokens has been significantly impacted. The RSA breach may just be final nail in the coffin for security tokens.



Steve Dispensa, is chief technology officer at PhoneFactor, a leading provider of multi-factor authentication services. Its platform leverages a device every user has -- a phone -- to strongly authenticate logins and transactions. He can be reached at [email protected].