A severe security breach at EMC Corp.'s RSA Security may threaten the thousands of banks that use its technology.
Most banks use RSA's technology to secure access to online banking and other systems. The company is best known for its one-time passcode-generating tokens, though many banks also use its software to invisibly protect their websites.
Without disclosing the exact scope of the breach, RSA indicated that it is a serious and far-reaching threat. Experts said the break-in demonstrates a weakness of passcode tokens, and advised banks to begin migrating to a multilayered approach to protect their systems.
"This is an enormous deal, and you have to assume the worst case," said Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc. in Stamford, Conn.
"If the criminals got the master key, they could use it to create unauthorized cards or counterfeit tokens and then steal passwords and create their own one-time passwords," Litan said.
RSA disclosed the breach to customers in a letter it posted on its website Thursday.
"Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA," Art Coviello, RSA's chief executive, said in the letter. "Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products."
Coviello went on to say that the information could "reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." He said RSA is providing customers with immediate steps to strengthen their implementations of SecurID.
EMC, of Hopkinton, Mass., said it would not comment further on the break-in.
A spokeswoman for Bank of America Corp., one of RSA's clients, said, "we are aware of the situation, but for security reasons, we do not disclose details of our security technology and processes."
RSA, in Bedford, Mass., is one of the largest security vendors in the world. Upward of 90% of U.S. banks use RSA's technology in some part of their business, according to Aite Group LLC in Boston.
RSA's one-time passcode tokens let users authenticate their online banking transactions with a string of numbers that expires within 60 seconds. It is primarily used with employees or with corporate banking customers, though some banks offer it to consumers.
The New York Times reported in a story March 17 that it is possible criminals might have stolen an internal "master key," from which it might be possible to gain access to the corporate networks and computer systems of banks.
With that knowledge, George Tubin, a senior research director with TowerGroup of Needham, Mass., said it might be possible for criminals to know the randomly generated passwords of corporate clients.
Criminals could then "go in and impersonate you logging into your system because [they will] have that one-time password," Tubin said.
Experts said the breach demonstrated the need for banks to have a multilayered approach to security, as will almost certainly be mandated when the Federal Financial Institutions Examination Council issues its guidance later this year on what banks must do to protect the security of online transactions.
Many of the banks that use RSA's technology today with consumer online banking do so because of a 2005 mandate from the council that they have stronger authentication than a simple username and password. Most banks that chose passcode tokens offered them only to wealthy consumers or business clients, because of the cost of deploying them and the potential they had to disrupt the online experience by adding a step during every login.
For most consumers, banks chose to use software to identify whether a user is connecting from a trusted computer or a low-risk location. This method is largely invisible to the end user.
"Banks should be doing now what they should have been doing a long time ago, which is looking at deploying multiple layers of protection based on the levels of risk of the transaction," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite.
McNelley said that in addition to passwords and device identification, corporate clients should consider using specialized keys, hardened browsers, behind-the-scenes analysis of transaction behavior and setting dual controls.
Other observers said the attack on RSA demonstrated the ineffectiveness of tokens.
"Banks should already be aware the token is pretty much rendered useless as a second factor of authentication," said Jacob Jegher, a senior analyst at the research firm Celent. "This is yet another nail in the coffin for the token."
Litan said that tokens are susceptible to the same kind of intermediary attacks leveraged by the Zeus Trojan, which hijacks browser sessions during the legitimate user's online banking activity.
"One-time tokens can be compromised," Litan said.
Besides ramping up security procedures, experts said banks using SecurID should definitely consider contacting their clients about the potential threat to their accounts.
"Knowledge is power, and the more their customers know they are not bulletproof with a token, the more measures they can take," McNelley said.
In addition to Coviello's letter to customers online, RSA also included in an 8-K filing Thursday with the Securities and Exchange Commission a note that said it did not think the breach would have a financial impact on the company.
Andrew Johnson contributed to this story.