Monday, March 28, 2011

THE RSA BREACH-- BANKERS BEWARE, NOT JUST COMPUTER GEEKS

On March 17 the RSA, the security division of information storage company EMC, announced that its servers had been breached.  RSA makes the RSASecurID, a sophisticated one time password device which serves as a multifactor authenication device used by 90% of the nations' banks according to a Bank Technology News Article.

Not being a computer type I hesitated to follow my Blog on FFIEC draft authenication guidelines with another internet banking Blog but this is serious business and could have profound effects  on security in every high risk internet banking transaction.  It really means that internet banking security and authenication issues have moved out of the world of IT and into the headquarters' suites of CEOs, COOs and CFOs.  This further complicates whatever the FFIEC comes up with in its final guidelines. 

 Bank Technology News noted that worlds leading security vendor was not able "to lock out the beasts" criticized RSA "lack of candor" in it release of "scant" details.  P.C. World describes the operation of the RSA SecurID in almost lay terms.  The user logs in by username, inserts a four digit PIN and, from the RSA SecurID gets a six digit one time password to enter the system.  Mysteriously the one time password is generated by algorithim  and a "seed record".  The one time password lasts from 30 to 60 seconds.  A remote RSA server verifies the information and lets the user into the system.  P.C. World is concerned, given the lack of information, that the "seed record" at RSA was breached.  If so, PC World claims it would be a fairly easy step for the bad guys to get into a bank transaction. This RSA device is used by 40 million people and 30,000 organizations worldwide according to RSA.  See, http://pcworld.com/  for March 18.  In an SEC filing RSA suggested some precautionary steps which did not seem to calm the IT world.  One competitor has advised that RSA customers unhook their RSA systems. 

Even without the RSA breach some criminals have mastered a fraud technique to inject their presence into the middle of the bank-customer RSA SecurID operation and plunder an account.  In the colorful jargon of IT this is the "man in the middle" ploy.

I usually try to tell the reader some solutions or ways to at least minimize harm.  I am sorry.  If I had a scant idea of the answers I would not be practicing law.

Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)