A severe security breach at EMC Corp.'s RSA Security may threaten the thousands of banks that use its technology.
Most banks use RSA's technology to secure access to online banking and other systems. The company is best known for its one-time passcode-generating tokens, though many banks also use its software to invisibly protect their websites.
Without disclosing the exact scope of the breach, RSA indicated that it is a serious and far-reaching threat. Experts said the break-in demonstrates a weakness of passcode tokens, and advised banks to begin migrating to a multilayered approach to protect their systems.
"This is an enormous deal, and you have to assume the worst case," said Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc. in Stamford, Conn.
"If the criminals got the master key, they could use it to create unauthorized cards or counterfeit tokens and then steal passwords and create their own one-time passwords," Litan said.
RSA disclosed the breach to customers in a letter it posted on its website Thursday.
"Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA," Art Coviello, RSA's chief executive, said in the letter. "Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products."
Coviello went on to say that the information could "reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." He said RSA is providing customers with immediate steps to strengthen their implementations of SecurID.
EMC, of Hopkinton, Mass., said it would not comment further on the break-in.
A spokeswoman for Bank of America Corp., one of RSA's clients, said, "we are aware of the situation, but for security reasons, we do not disclose details of our security technology and processes."
RSA, in Bedford, Mass., is one of the largest security vendors in the world. Upward of 90% of U.S. banks use RSA's technology in some part of their business, according to Aite Group LLC in Boston.
RSA's one-time passcode tokens let users authenticate their online banking transactions with a string of numbers that expires within 60 seconds. It is primarily used with employees or with corporate banking customers, though some banks offer it to consumers.
The New York Times reported in a story March 17 that it is possible criminals might have stolen an internal "master key," from which it might be possible to gain access to the corporate networks and computer systems of banks.
With that knowledge, George Tubin, a senior research director with TowerGroup of Needham, Mass., said it might be possible for criminals to know the randomly generated passwords of corporate clients.
Criminals could then "go in and impersonate you logging into your system because [they will] have that one-time password," Tubin said.
Experts said the breach demonstrated the need for banks to have a multilayered approach to security, as will almost certainly be mandated when the Federal Financial Institutions Examination Council issues its guidance later this year on what banks must do to protect the security of online transactions.
Many of the banks that use RSA's technology today with consumer online banking do so because of a 2005 mandate from the council that they have stronger authentication than a simple username and password. Most banks that chose passcode tokens offered them only to wealthy consumers or business clients, because of the cost of deploying them and the potential they had to disrupt the online experience by adding a step during every login.
