On March 17, the unthinkable happened; someone or something breached the RSA. The Executive Chairman of RSA Security, one of the most successful, high-level Internet security companies, published an open letter in which he admitted that attackers had breached successfully the RSA network and stole sensitive information related to the company’s SecurID two-factor authentication technology. The RSA identified the attack as an APT-type attack. SecurID is one of the most used authentication technologies on the Internet; many banks use it and many websites are secured by it.
Keys to The Kingdom
This breach of mythic proportions could mean that the very code to the two-factor authentication systems known as SecureID is in the hands of Attackers. One of the implications is that a package of malicious software known as Zeus Crimewave will now become adept at breaking all two-factor authentications. The other is that a new major threat is out there called an “APT” (Advanced Persistent Threat), which is a new form of cyberattack that does not rely upon typical brute force web-based attacks, but instead sues stealthier, backdoor attacks. These are more planned are organized and apparently well funded.
A similar attack, dubbed Operation Aurora, broke into Google, among others back in 2009; this was also a type of APT attack. As has been noted, if Google and Aurora wasn’t enough of a wake-up call, this is another wake-up call,” said Peter Schlampp, vice president of product management at Solera Networks.
This comes at a time when the federal government is planning to move up to 18 percent of its IT infrastructure to cloud computing, it had better be a big wake up call. The trouble is, who will hear it and what will they do? Could this be the impetuous needed to start the creation of a federal electronic ID system? Alternatively, could it be the end of the road for the idea?
Verifying that you are who you say you are is one of the most important aspects of e-commerce. Unless customers feel secure, they will not transact business on a website. SecurID’s two-factor authentication helped make them feel secure, and now that it may be broken, customers will stop trusting. If you are a customer, how do you prove that it is you using your credit card and not an eastern European crime lord?
Your bank, using two-factor authentication, does that with your credit card. The collapse of that security system would be the collapse of e-commerce. There is already a move in government to create a national identification program called “Real ID,” which could easily evolve into an electronic identification validation system that they industry would then rely upon. Currently, Real ID is being planned and it will be a set of standards for ID cards that will mean that states will have to update their driver’s licenses to meet the standard.
This year, federal employees will be issued ID cards conforming to the new standards, including electronic identification. This breach of the RSA data could push Real ID and a Federal Electronic ID forward, creating demand for the service or hinder its adoption by creating mistrust in virtual ID security. Either way, it demonstrates the desperate need to create a true level of security for our national infrastructure, that being the Internet and wireless networks, especially with m-commerce coming down the pike like a freight train. The battle is on to bring NFC on line but the security credibility gap is the key to customer adoption of this new payment system.