Companies who have unanswered questions and concerns about the RSA token hack should be talking to the IT department as soon as possible, according to a rival security vendor.
Westpac and ANZ announced this week that they had begun a replacement program of tokens for customers and staff, with ANZ revealing that it had decided to reissue 50,000 tokens to customers and corporate clients.
2nd Phase founder, Campbell Bradford, whose company distributes a rival token-less security product, approached Computerworld Australia with questions he says chief executive officers should be asking IT security staff about RSA. He also expressed concern that Australian companies would be waiting a long time for replacement tokens.
"Customers have invested in one of the most expensive systems on the market for zero security — and now the customers are going to have to shell out more expense recalling and redistributing tokens," he said
"The organisation spent money on a security product to do a job and it is now not doing that job so why spend any more money [redistributing new tokens] on a product that is potentially putting the organisation at risk? There is simply not any evidence of a sound business argument in favour of more operational expense being spent on this product."
According to Bradford, RSA customers should also be concerned about the long term viability of the company due to the high costs of replacing all the hacked tokens.
RSA has not said how much the cyber attacks have cost, but even before the SecureID replacement program, it was expensive. For its most recent financial quarter, ended March 31, EMC said the RSA group's gross margins dropped from 67.6 percent to 54.1 percent, year-over-year. EMC blamed this downturn on the attack.
"Will EMC just write off their 'investment' after they realise they paid too much for RSA in the first place and it is now tainting the EMC name?" Bradford said.
The questions CEOs should be asking security staff, according to Bradford, are:
1. When did you find out about the RSA hack? It was first reported in 18 March 2011. "If the IT Security people knew about it back in March what have they done about it since? With the total lack of information from RSA then surely you have to assume the worst and assume SecurID had been compromised," he said.
2. What risk analysis has been carried out since? If none why not?
3. Who did the risk analysis? Someone qualified and who knows authentication inside and out?
4. How much is distributing new tokens going to cost the organisation?
5. How are new tokens going to reduce the risk? What if RSA’s formula for calculating a token seed record that is associated with each token’s serial number has been compromised? What good are new tokens going to be? Has RSA stated that new tokens will definitely fix the problem?
6. When will we receive the replacements? Six months? 12 months?
7. So the vendor has to increase production significantly due to the hack. How is this going to affect the quality of the tokens?
8. If it is going to cost RSA US$1 billion to replace tokens free to everyone then how are they going to survive in another year? Will they exist in 2013?
9. How much does it cost the organisation each year to have tokens?
10. Are there any alternative two factor authentication offerings that are lower cost and more convenient that would save the organisation operating expenses without compromising security?
11. Are you happy with the current two factor authentication offering or is it too much of an overhead?
12. Are you happy with the price the organisation pays for tokens? Maintenance? Staff to maintain the existing two factor system?
13. When was the last time the organisation surveyed the market for alternative solutions?
14. How much would swapping to a new system cost? If the cost of swapping is less than the cost of redistributing new tokens and the ongoing costs are a fraction of the existing token based system why wouldn’t the organisation swap?
RSA's parent company ,EMC Australia, was approached for a response by Computerworld Australia but declined to comment.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU