Shifting sands as RSA disaster confuses Australia

The approach that a number of major Australian companies and government departments are taking to RSA’s revelation that the integrity of its widely used SecurID two-factor authentication system had been compromised is changing hourly, as the nation’s major banks and other organisations discuss the matter with the security vendor and their customers.

The SecurID platform sees small devices commonly known as ‘keyfobs’ distributed to staff and customers of major organisations, who then use the randomised codes which they create to authenticate their credentials when they log in to sensitive systems such as internet banking platforms or government systems which hold vast swathes of data about citizens.

The technology is used by a number of major Australian household names including the Commonwealth Bank of Australia, Westpac, Australia and New Zealand Banking Group, the Australian Taxation Office, the Department of Defence and Telstra, to name a few.

RSA executive chairman Art Coviello disclosed in mid-March a hack attack had taken place against on the SecurID platform, and the news hit headlines again this week as it was revealed that an attacker had tried to gain access to sensitive information at defence contractor Lockheed Martin through the compromised technology. In the wake of the issues, RSA has offered to replace all of the keyfob devices internationally, and has been discussing the issue with customers in Australia. However, not all have taken up the company’s offer.

A Westpac spokesperson this morning had stated the bank would not reissue the RSA tokens to customers, noting that the devices were just one part of its overall security approach and stating that the security of online banking for customers had not been compromised through the recent issues. However, just hours later — and after the revelation that rival ANZ would replace some 50,000 of the keyfobs, Westpac had changed its tune, issuing a statement this afternoon to the effect that it would in fact replace its tokens.

“Our customers’ trust in the security of our systems is paramount,” said Westpac general manager of online and customer service centres Harry Wendt said in a statement this afternoon. “Although we do not believe that our customers are at risk from this event, we have initiated a token replacement program to alleviate any residual concern that our customers may have.”

A spokesperson for the bank said only a small number of customers had raised the issue — but it was enough to change the bank’s stance.

Earlier today, a spokesperson for ANZ Bank confirmed a report by ZDNet.com.au that the bank had taken the reverse approach to its rivals — and had decided to re-issue new RSA tokens to all customers and staff who currently had them — about 50,000 people. “While there is no direct threat to ANZ customers we believe this is the best course of action given recent advice from RSA,” a spokesperson for the bank said. “There will be no expense for ANZ customers as a result of this decision to replace the tokens.”

The bank said it was predominantly its corporate and institutional customers who used the tokens as one component of its multi-layered security systems. The bank has about 50,000 of the devices in use, with about 4,000 being used internally.

The ATO will also replace its tokens.

“We can confirm that as a precaution the ATO has been working with our service provider to replace our RSA tokens,” a spokesperson for the agency said. “However, the ATO employs a range of authentication and access controls and we do not place total reliance on any single control. As such, our security provisions remains effective.”

However, not everyone is jumping to the same conclusions as Westpac, ANZ and the ATO.

The Commonwealth Bank today said it would not replace the tokens it has issued to staff (it does not issue the tokens to customers). “The RSA ID tokens used by staff are only one part of a multi-layered security procedure. As a precautionary measure the CBA has implemented a number of additional security protections, and has continued to be briefed by RSA since the March incident,” a spokesperson for the bank said.

“The CBA takes security very seriously and has robust security measures in place. Our team of security experts continually monitor and review our systems, both internally and with our partners, to ensure our information is protected. We are in ongoing discussions with RSA to explore all options, including the replacement of tokens, but are confident we have put in place the right protections at this time.”

The situation remains a little more unclear with Telstra; with the telco not confirming whether it would replace its tokens. A spokesperson for the company would only say that it had been working with RSA on the issue since March, and was confident that the issue would not impact its customers, its data or its records, due to its multi-layered security approach.

In addition, not everyone agrees that changing the keyfobs over would actually resolve the security situation for RSA customers.

This afternoon, Paul Ducklin, the head of technology for the Australian division of RSA rival Sophos, slammed RSA for not properly disclosing what the actual security break-in had entailed at the company, stating that all RSA had done was allow the industry to speculate about what the problem might be. The solution to the problem for customers, Ducklin said, was unclear as yet — because RSA had not disclosed what access the attackers had to its systems — in effect, what information they had which would allow them to break through the security systems of RSA customers such as those highlighted above.

Because of this, Ducklin said, changing over the tokens might be an ineffective solution. “If you go to a takeaway [restaurant] and realise that you’ve had a dodgy meal, do you want a free meal afterwards?” he asked. “I’d say: OK, that’s great, but show me that you’ve made your place more hygienic.”

“If you ate “one burger with expired meat”, then went back for more, the executive argued, “you’re taking a gamble that next time the meat happens to be fresh”.

Other rival vendors, such as CA, have already started offering RSA customers an easy way out of the mess — offering to swap out RSA’s technologies with their own. CA’s local principal consultant for security, Trevor Iverach, said in an interview today that the hardware token technology was on its way out anyway — with the company seeing a general shift over the past six months to other solutions, such as the software-based offerings which CA sells. Some had seen the hardware as being too tough to manage.

Locally, RSA has been active in speaking to customers about the issue. But a spokesperson for the company declined to comment on the issue at all when contacted this morning by this publication.

Image credit: Crystal Woroniuk, royalty free