No such thing as a free lunch… particularly when dealing with a security breach.
As most of you are well aware, as a remedy to try and help its customers, RSA is offering “free” tokens to replace their compromised devices. Well, they’re really not free tokens; what RSA is willing to do is provide a new token with a limited-time license based on the remaining life span of a customer’s compromised token. Oh, and the IT management costs to disable your old tokens and register your new tokens will have to be covered by you, the customer. And then there’s the logistics cost of distributing tokens to employees and customers (mass mailing will certainly be involved in many cases) along with the call center costs to help users enroll / activate the new tokens. Hopefully that’s the limit of it but who really knows; maybe a breach has already occurred but not yet discovered….At the end of the day, RSA customers are being given the opportunity to replace an old, compromised technology with an old technology with a limited life span – that doesn’t sound that compelling to me.
Extending the thought process a bit further, let say I am the customer of an RSA customer – for example, I’m the financial controller at AnyCorp USA. One day, my bank (an RSA customer) issues me and my team a replacement set of RSA security tokens to conduct our online commercial transactions. The first thought that would go through my head is – why am I getting a new set of tokens? Quickly followed by… how can you <my bank who manages millions of dollars at peak periods> be so sure these new tokens are safer or, have you simply taken RSA at their word? What security measures have you taken to ensure this won’t happen again? What if it does happen again? Have you really done your due diligence and considered alternatives suppliers or approaches to ensure my online banking is safe?
Now, one might conclude, hey Mike, what you’re propagating if FUD – Fear, Uncertainty and Doubt; fair enough, but isn’t that really what the entire market is going through right now? And personally, when I run into a situation in my personal or professional life where there is FUD and the risks are high what do I do? I do my homework. I make sure I have assessed the options; I makes sure I review the alternatives and assess the pro’s and con’s; I evaluate 3 vendors to make sure I am getting value for my money; in the end, I make an educated, intentional decision and simply don’t take the easy route. I may be wrong but at least I have given it my best effort and done my homework.
Fraud threats are evolving in frequency and sophistication at an incredible pace, and it has been proven that security solutions that do not evolve will be comprised by today’s attackers. Rather than investing time and effort into “fixing” an old technology, doesn’t it make sense to spend your time and effort evaluating a new approach to security? If you do, I’d say, look for something that is dynamic, flexible and proven to evolve as the marketplace evolves. This gives you the power to secure your networks, your data and your customer’s transaction today and for years to come.