Wednesday, June 8, 2011

RSA Security Dongles Are Compromised

For quite a while now I've been using a couple of those "dongles" that some banks make available (sometimes for free) to increase the security of my financial accounts - one works with my credit union and with PayPal, and the other with E*Trade. These devices have an LCD display that shows a six-digit number that changes every minute or so; when I log into the banking site it will ask me for the number that the dongle is currently showing, in addition to my password.

The bank has software that generates the same sequence of strings of numbers, based on the serial number of my particular device, so that they can verify the number I've entered.

This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, when done right (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.

The dongle for my E*Trade account is made by a company called RSA. They are (or were?) a highly-respected company in the information security business. However, a few weeks back someone managed to break into their computer network and steal a bunch of data related to the dongle technology. They were very mum about just what was stolen for quite a while, but yesterday they finally admitted that the devices are compromised, and in fact just last week there was a cyber-breakin at Lockheed-Martin that was made possible by the RSA breach.

So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say yet again that you should always use strong passwords for financial sites and such.

By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the forty million dongles that they have sold, on a request basis. Ouch!

I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day RSA continues to (try to) reassure its customers that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...

Hmmm, am I being overly cynical here?