Safe / Secure / Systems : Internet and Data Security for Regular People: RSA Security Dongles Are Compromised

Wednesday, June 8, 2011

RSA Security Dongles Are Compromised

For quite a while now I've been using a couple of those "dongles" that some banks make available (sometimes for free) to increase the security of my financial accounts - one works with my credit union and with PayPal, and the other with E*Trade. These devices have an LCD display that shows a six-digit number that changes every minute or so; when I log into the banking site it will ask me for the number that the dongle is currently showing, in addition to my password.

The bank has software that generates the same sequence of strings of numbers, based on the serial number of my particular device, so that they can verify the number I've entered.

This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, when done right (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.

The dongle for my E*Trade account is made by a company called RSA. They are (or were?) a highly-respected company in the information security business. However, a few weeks back someone managed to break into their computer network and steal a bunch of data related to the dongle technology. They were very mum about just what was stolen for quite a while, but yesterday they finally admitted that the devices are compromised, and in fact just last week there was a cyber-breakin at Lockheed-Martin that was made possible by the RSA breach.

So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say yet again that you should always use strong passwords for financial sites and such.

By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the forty million dongles that they have sold, on a request basis. Ouch!

I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day RSA continues to (try to) reassure its customers that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...

Hmmm, am I being overly cynical here?

No comments:

Post a Comment

Disclaimer

The information contained in this Site is provided in good faith by the author for general guidance on matters of interest only. Given the inherent hazards of electronic communication, there may be omissions or inaccuracies in information contained in this Site. As a result, the information on this Site is provided with the understanding that the author is not herein engaged in rendering any professional advice and services. As such, it should not be used as a substitute for consultation with professional and competent advisors. Before making any decision or taking any action based on the information contained in this Site, you should consult a professional who is competent in providing professional advice in information technologies.
While the author has made considerable effort to ensure that the information contained in this Site is accurate, the author is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information contained in this Site is provided "as is", with no guarantee of completeness, accuracy, timeliness or the results obtained from the use of the information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose or product safety of any kind. In no event will the author, his or her related partnerships or corporations, or the partners, family members, agents, employees or employers thereof be liable to you or anyone else for any decision made or action taken in reliance on the information contained in this Site, or for any indirect, consequential, special or similar damages including, without limitation, permanent loss or corruption of data, physical or emotional sufferings, moral standard corruptions, damages for loss of goodwill or self-esteem, loss of customers or market share, breach of security, permanent or temporary loss of employment, permanent or temporary loss of connectivity to the Internet, work stoppage, loss of income, computer related fires or other mishaps, computer failure or other malfunctions.
Certain links in this Site connect to other Web Sites maintained by third parties over whom the author has no control. These links are for general guidance on matters of interest only. The author makes no representations as to the accuracy or any other aspect of information contained in other Web Sites. The provision of these links should not be interpreted as constituting any kind of endorsement, whether implicit or explicit, of the views and/or contents of such other Web Sites.

Safe / Secure / Systems :
Internet and Data Security
for Regular People

Wednesday, June 8, 2011

RSA Security Dongles Are Compromised

No comments:

Post a Comment

Followers

Blog Archive

About Me

Disclaimer