The Token Debate: Why the RSA and ISACA Perspectives Are Wrong
While I would never claim to be a maven in the world of cyber security, I find it quite disturbing that a long-standing security vendor such as RSA would proclaim, “Since its (one-time-password token) inception, the world’s most respected security researchers have worked, unsuccessfully, to ‘break’ this technology.”
Well, I can’t comment on the world’s most respected security researchers, but I sure do know that many criminal organizations have successfully defeated one-time-password tokens — with both man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks — to the point where regulatory agencies around the world are issuing bold statements, guidelines and regulatory compliance to help educate and protect online users and service providers. Just type “MITB attack” in your browser search window and you can read a myriad of very dramatic and costly attacks on some of the world’s largest banks and their clients over the past two years.
Similarly, I am very confident backing up the viewpoint that anyone proclaiming that security tokens are worthless is simply misleading. While I believe Richard Hollis of ISACA makes some very good points about the sophistication and growth of fraud attacks and malware in the wild today, security tokens are, in fact, very good security protection against certain kinds of password theft attacks (e.g., keystroke loggers) or, take for example, the database breach at LinkedIn earlier this year, reportedly exposing more than six million user passwords! If these users — or the 70 million users compromised by the Sony PlayStation breach — had accounts protected with one-time-password token access, their accounts could not be accessed by hackers.
In the world of cybersecurity, it’s important to realize that:
- Fraud threats and attacks will continue to evolve in sophistication and volume
- There is no silver bullet solution that will protect against every attack vector
- When implementing security controls, you must take into consideration risk, user experience and cost, and then deploy the control that is best suited to address the situation
One of the challenges that organizations face, however, is that they have a diverse user community with varied profiles when the assessment of risk, user experience and cost is performed. For example, the risk profile and user experience considerations of a commercial-banking client with an average cash balance of $3 million is quite different than a retail-banking client with average cash balance of $1,000. Similarly, the risk profile of a senior IT administrator who has responsibility to manage the organization’s security systems is quite different than a factory worker whose network access is limited to an internal Web application on work procedures and the corporate email system.
As organizations look to solve the identity-based security problem, there is no doubt that traditional, single-purpose authentication products are not the answer. To effectively secure today’s cyberworld, organizations are looking to an enterprise-wide software authentication platform designed to help them address needs that span physical and logical access, mobile and cloud security. And one that empowers them to effortlessly implement new controls and policies — across diverse user groups — as new security threats, business needs and technology evolve.