-
RSA replaces 40 million SecurID tokens due to breach; four charged in $1.5 million theft of JPM, Citi ATMs; B of A employee charged with stealing $10 million from customers.
June 7 -
A security consulting company demonstrated that many banks' branch managers would hand over $25,000 to a scammer who presented little more than a counterfeit check drawn on a reputable bank, a photocopy of a fake driver's license and a bogus email from a senior bank executive authorizing the payment.
May 26 -
A severe security breach at EMC Corp.'s RSA Security may threaten the thousands of banks that use its technology.
March 18
In the wake of the compromise of RSA Security's one-time-password tokens, it's the smaller banks that may feel the greatest impact, since they have more invested in a single security technology than their larger peers.
An estimated 80% of banks rely on the EMC Corp. unit's SecurID tokens to protect online banking sessions for corporate banking customers and other clients. The largest banks have already disclosed that they will accept RSA's offer to continue using SecurID after the vendor issues replacement tokens.
But 30% of smaller banks say they will either switch or are considering switching to some other form of protection, according to a survey of 100 community banks completed Tuesday by cbanc Network Inc., an online social and resource-sharing network for banks.
"These institutions are more likely to have all of their eggs in the RSA basket, and won't have the multiple layers of defenses required to combat this and other online threats," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC of Boston.
Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc., said, all "banks are nervous and they are watching this closely," but many smaller institutions "only rely on strong authentication, as opposed to the larger banks who have multiple layers of defenses."
Recent events have heightened the atmosphere of concern for banks. On Monday, following announcements by the defense industry heavyweights Lockheed Martin Corp., Northrop Grumman Corp. and L-3 Communications Holdings Inc. that hackers had attempted to break into their systems using compromised SecurID tokens, RSA said it would reissue about 40 million of the devices to about 30,000 companies and government agencies that use them. The tokens produce a one-time-use passcode that, because of its short life span, is considered more secure than a static password.
Litan estimates that RSA will spend up to $25 million replacing the tokens, and even though the tokens will be replaced at no cost to the banks, all banks combined will spend between $50 million and $95 million on customer service, technical system adjustments and mailings. Litan said it may take as long as nine months for RSA to complete the replacements.
When cbanc, of Austin, Texas, asked bankers what they were considering switching to, respondents listed biometric fingerprint verification, out of band authentication, additional PIN numbers associated with tokens and other forms of multifactor authentication.
"The market does not see any confidence-inspiring silver bullet for the authentication-based security layer," said Myers Dupuy, cbanc's president.
Dupuy said he thinks smaller banks would consider adding security for high-risk transactions.
"While authentication is critical and will evolve, we see the point where the money leaves the bank as the most critical," Dupuy said.
Security vendors, smelling blood in the water since the RSA breach, have begun heavily promoting their own wares.
PhoneFactor Inc. of Overland Park, Kan., for example, pitches a "token replacement program" on its home page for RSA customers considering a switch.
According to PhoneFactor's own research in April, when it polled 433 companies across industries on their use of secure tokens, including more than 100 banks, 57% said the attacks against RSA had reduced their confidence in tokens, and 44% said the breach had caused them to re-evaluate their use of tokens.
PhoneFactor said it has seen a double-digit increase in inquiries and sales of its services over the past year.
Dave Jevans, the chief executive of IronKey Inc., of Sunnyvale, Calif., said he is seeing strong evidence that his bank customer base, which includes many smaller banks, is beginning to shift away from tokens.
"Some are either moving away from this technology or they are augmenting it with other layers of endpoint security, such as IronKey," Jevans said.
Security experts have said for a long time that adding more layers is important for smaller banks.
"Any organization that depends on a single technology is taking huge risks," said Phil Blank, senior analyst for security, risk and fraud at Javelin Strategy and Research. "Layered security measures must be in place."
McNelley said that since the Federal Financial Institutions Examination Council issued guidance in 2005, recommending that banks add more layers of authentication for online account access, many flocked to RSA's SecurID product.
"Financial institutions, particularly the smaller ones, said they would deploy secure tokens" following the guidance, McNelley said.
