There are common sense best practices banks can use to prevent hackers from taking advantage of the recent RSA breach.
Following RSA's recent data breach admission in March 2011, banks are still wondering what happened and what they should do to prevent hackers from attacking their customers using this undisclosed data. In RSA’s announcement and cryptic description of the theft, RSA stated "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." While RSA offers no additional information in the interest of protecting their customers, our review of the available information and various reports around the breach seem to indicate the hackers responsible for the breach may have gained access to the ability to generate one-time passcodes, potentially allowing RSA SecurID authentication to be performed without a valid user’s token.
While this is just one piece of the information needed to access banking accounts, it is a big piece and represents a large threat to banks. In order to fully use this information, hackers need additional information to make their theft a success. Unfortunately, this data exists on what is usually the weakest link in the data chain, your customer’s computer.
In the last few years attacks on Cash Management systems have become common place and led many banks to implement RSA token use for their commercial banking customers as protection against wire fraud and unauthorized access to Cash Management Systems. In fact, the FFIEC 2011 draft guidance addresses many of the issues that lead many banks to implement RSA tokens for cash management users over the last few years. We can only surmise that RSA’s breach has delayed the FFIEC from finalizing their draft as they consider what additional measures should be in place in light of the breach.
As we at Creative Consultants Group always recommend, security is best applied in a layered approach and constantly monitored looking for abnormal patterns and accesses. These best practice recommendations (below) from Creative and RSA are considered to be normal in our design and monitoring of our customers systems. However, they all bear reminding and reapplication of the principles to insure we are doing all we can to protect bank customer data and bank reputations.
Some immediate steps banks should take include:
- Perform/Update Risk Assessments for Online Banking Systems: Part of the FFIEC Guidance for 2011 is increased Risk Assessments and Due Diligence for online banking systems. In light of the RSA breach and recent increase in malware on smartphones, now would be a good time to perform/update your Risk Assessment of your Online Banking Systems taking into account the guidance below.
- Add host-based security controls and protection for end users: Large scale attacks to use the stolen RSA data will likely be performed and be most effective on banks' customers. Without strong protection from man-in-the-middle (MITM), man-in-browser (MITB), keylogging, browser monitoring, and DNS tampering attacks among others, customers can be easy prey. As described by the new 2011 Draft FFIEC guidance, implementation of new host-based security controls can isolate the banking session and securely connect users with your banking site. Host security controls that isolate users from malware rather than try to detect known attacks are much more effective.
- Monitor Log Files looking for pattern use changes: While the information provided by RSA and others recommends looking for failed authentication attempts, it's unlikely criminals will use brute force attacks to identify PINs because that would spoil their plans. Instead, review log files looking for subtle anomalies such as successful authentication attempts, then quickly logging out or accesses outside your geographic scope of operations. For most community and regional banks the IP addresses used to access their systems are isolated to a specific geographic region. Reviewing logs looking for IP addresses outside your region used to access your systems would be a major indicator if there is a sudden spike in activity. A further step maybe to block access from foreign countries and their associated IP addresses. While this may inconvenience some users that travel internationally, it would be a good temporary measure to thwart any exposure.
- Add new customer education: While banks don't need to alert customers specifically to the RSA breach, institutions should add specific new topics to their education programs. Topics relevant but likely not discussed before should include that banks will never ask for a token serial number after registration or that your bank will never ask for a token code over the phone or outside of authentication and payment authorization.
- Review token issuance and distribution processes: The entire issuance process of tokens should be reviewed. Serial numbers and customer information are likely stored in internal databases used for issuance and may even have been provided to third parties to perform device distribution. If a third party is involved, consider if it is necessary for them to be provided with and/or maintain this information.
- Segment authentication infrastructure: As recommend by RSA, the RSA Authentication Manager and any other systems that link customers to tokens should be segmented and hardened. Criminals have shown they can infiltrate deep into an organization, and systems that link users and tokens could come under attack. Making attackers work through segmented networks may alert you to their presence. If a service provider delivers authentication as a service, ask them about this risk and how they are protecting their systems.
- Educate call center and customer support: Like customers, call center and customer support staff should receive new education related to the RSA breach. Staff should proactively educate customers on what fraud looks like even during non-fraud or non-technical support calls. Proactively educating customers can reach those customers who would otherwise not take note of fraud education. And, it reiterates to the customer that you are looking to protect their security.
- Require PINs: SecurID authentication should always be performed with something the user has (their token code) and something they know (a PIN or password). Using a PIN in combination with a token code, will make it harder to attack online banking systems if an attacker has matched a user to their token. Of course, as discussed, it's not that big a leap to go from matching a user to their token and capturing their PIN as well. While an important best practice, this step alone won't stop criminals.
- Review Systems with Third Party Providers: Many banks rely on their core system providers or third party vendors to provide online banking services to their customers. As we recently heard from an FDIC auditor, a bank can outsource the function, but they cannot outsource the responsibility. In order to be responsible, your bank should question your provider of services concerning this breach, the best practices here, and access/integrate this information into your Risk Assessment. This type of review should be annual at least or as warranted any time circumstances require it, such as in the RSA breach.
Should Your Bank Continue To Use RSA Tokens?
Absolutely, the fact remains that RSA provides some of the best security in the world through their two factor authentication systems. While it is unfortunate this breach occurred, it serves as a reminder that banks will need to always have a multiple layered security approach that does not depend on one single factor or system to protect their customers. While this may prompt large scale changes in the applications used to host Online Banking, those changes will come slowly. The best offense for now is using the best practice recommendations above to help isolate customers from being affected by RSA’s breach.
For more information on how Creative Consultants Group can assist your bank in securing your customers, visit us on the web at http://creativeconsultants.net or contact us at 1-888-293-4224.
About Creative Consultants Group
Founded in 1997, Creative Consultants Group provides technology, communications, and information security peace of mind to banking organizations by delivering Premier IT infrastructure, Communications, Security, and Web services that utilize the most reliable and advanced systems and processes in the world. Organizations use Creative Consultants Group’s IT management services to keep their businesses running 24×7, to increase reliability and to protect mission-critical data. Creative Consultants Group is a leading provider of IT Managed Services and Communications Infrastructure/Services to the banking and financial services markets. Creative is IT for Bank! ® For more information, visit us on the web at http://creativeconsultants.net or call us at 888-293-4CCG or locally at 843-234-9980.