Months after a phishing attack struck RSA Security's passcode-generating tokens and thus exposed the nation's leading banks to security threats this spring, more than a third of top banks are standing by RSA's product.
These banks were already anticipating stricter security rules and adopting multiple layers of security to guard against the possibility of any one device failing. Because of this, many banks use RSA's product — but they don't rely on it.
RSA's product, which it calls SecurID, uses an algorithm to randomly generate a passcode at regular intervals. This code is used as a second factor of authentication in addition to a password when connecting to bank websites and other sensitive systems.
The tokens are "still highly effective in a layered approach to security, and this was the qualifier in March as well," says Julie Conroy McNelley, senior analyst and fraud expert with Aite Group.
On March 17, in an open letter to customers, RSA executive chairman Arthur W. Coviello revealed that RSA "had detected a very sophisticated cyber attack on its systems, and that certain information related to the RSA SecurID product had been extracted."
The attack, which he called an advanced persistent threat, was launched following a successful phishing scam in which an RSA employee was enticed to open an infected email attachment, according to various reports.
Following that incident, RSA says it contacted banks and offered to replace the compromised tokens. RSA put aside $68 million for remediation. The vendor did not say how many tokens it has replaced.
"In the wake of the incident, we have not seen any real change in the [token] consumption patterns by banks and financial institutions," says Sam Curry, chief technology officer for identity and data protection for RSA. The breach did not result in a compromise of the tokens' security algorithm, Curry says.
RSA, a unit of EMC Corp., remains the dominant security provider to banks with some 90% using a breadth of security products from the company, analysts say.
In a survey conducted from August to October this year, Aite found 12 of the top 19 financial institutions it polled still use RSA tokens, with six more using tokens from other companies, including Entrust Inc. and Gemalto NV.
Eighty percent of bank customers that use the SecurID tokens use them in routine business banking and the remainder use them for high-net-worth consumer transactions, analysts say.
Despite banks' commitment to using tokens, their confidence in the product has declined somewhat. While 11 top banks said they thought one-time password devices are "highly effective," six said they thought it was only "reasonably effective," and about a third of those cited a perceived decline in security in the wake of the RSA breach. They also cited the technology's susceptibility to a fraud scheme called "man-in-the-browser."
The largest banks had already begun shifting to a multi-layered approach to secure their websites and employee activity prior to the attack, McNelley says.
The shift came as banks moved ahead of June guidance from the Federal Financial Institutions Examination Council on how to protect online banking sessions. Among other things, the guidance said that banks should use advanced forms of device authentication, anomaly detection, knowledge based authentication, dynamic risk assessment and multi-factor authentication.
"There's a lot of lethargy in financial institutions about moving away from RSA, and it is not the end of the world if they don't, as long as they got new tokens," says Avivah Litan, vice president and distinguished analyst for Gartner Inc .
Some security vendors agreed.
"Financial institutions have not rushed to replaced RSA SecurID(s) because [they are] embedded in their systems and deployed to their customers," Kevin Bocek, director of product marketing for IronKey Inc., wrote in an email.
Many banks still have trouble creating comprehensive security strategies that span their technology and fraud departments.
"The [security] strategy is not as tightly coordinated as it ought to be," says Ben Knieff, director of product marketing for NICE Actimize, a unit of NICE Systems Ltd.
Banks have focused on best-of-breed end-point products from vendors, as opposed to broader systems from one vendor, though that may change, McNelley says.
"RSA responded fairly swiftly to their customer base and provided guidance to them to remediate the damage," says Doug Johnson, vice president of risk management policy for the American Bankers Association.
The RSA breach even served as a catalyst for some banks to improve their security strategies, Johnson said. "What we ended up with was a more secure environment."
Calls to many of the top banks went unreturned.