The nation’s biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Security’s offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company.
The company’s admission of the RSA tokens’ vulnerability on Monday was a shock to many customers because it came so long after a hacking attack on RSA in March and one on Lockheed Martin last month. The concern of customers and consultants over the way RSA, a unit of the tech giant EMC, communicated also raises the possibility that many customers will seek alternative solutions to safeguard remote access to their computer networks.
Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned to replace the tokens as soon as possible. The banks declined to say how many customers would be affected, although SAP said that most of its 50,000 employees used RSA’s tokens and that it was seeking to replace them all.
Defense industry officials said Tuesday that concerns about the tokens had prompted some of the nation’s largest military contractors to accelerate their plans to shift to computer smart cards and other emerging security technology.
The RSA tokens provide security by requiring users to enter a unique number generated by the token each time they connect to their networks.
Competitors eyeing the dominant market share of RSA are offering special deals like $5 rebates per token to customers that are considering a switch.
For now, however, the biggest worry for RSA is how to appease angry customers as well as mollify computer security consultants, who have been increasingly critical of how long it took the company to acknowledge the severity of the problem.
Industry officials said that Lockheed, the nation’s largest military contractor, made the security changes suggested by RSA after its attack in March. They included increased monitoring and addition of another password to its remote log-in process. Yet the hackers still got into Lockheed’s network, prompting security experts to say that the tokens themselves needed to be reprogrammed.
Arthur W. Coviello Jr., RSA’s executive chairman, made the offer in a letter posted on the company’s Web site on Monday. He said RSA was expanding the offer to companies other than military contractors, particularly those focused on protecting intellectual property and their corporate networks. He also said it was suggesting that banks use two additional RSA services to avert fraud in authenticating computer log-ins.
Mr. Coviello said in the letter that characteristics of the attack on RSA “indicated that the perpetrator’s most likely motive” was to steal security information that could be used to obtain military secrets and intellectual property. He said that RSA had worked with military companies to replace their tokens “on an accelerated timetable.”
Michael Gallant, an EMC spokesman, said, “We have not withheld any information that would adversely affect the security of our customers’ systems.”
“We provided very specific recommendations, we provided details of the attack, and we worked closely with customers to strengthen their overall security,” Mr. Gallant said.
The company’s admissions were too little, too late, industry experts said.
“They got pushed really hard by some of their customers, particularly in the financial services sector,” said Gary McGraw, chief technology officer for Cigital, a computer security consulting company based in Washington. “They came around, but they came around late.”
Mr. McGraw said that companies would be wise to replace RSA’s tokens and that some companies — banks, in particular — had done so. Like many people, he criticized RSA for failing to disclose the potential danger of the problem to its customers.
Until Monday, RSA said publicly and privately in meetings with customers that replacements were unnecessary, he said. “They shared their party line that everything is fine — pay no attention to the explosion in the corner,” Mr. McGraw said.
Another security consultant, Alex Stamos, chief technology officer for iSEC Partners, said that many companies that use RSA tokens were irate about the hacking and RSA’s response. He claimed that RSA misled customers about the potential problems after the initial hacking came to light. “Their whole excuse doesn’t hold water,” he said.
By minimizing the problem for six to seven weeks, Mr. Stamos said that RSA made companies more vulnerable.
“There would have been huge benefit for RSA customers to know the truth,” he said.
In the short term, customers are focused on getting new tokens but the overall outlook is cloudy.
“Companies are asking for the new tokens and looking long term to switching away from RSA,” Mr. Stamos said. “If you have 30,000 employees, switching to a new access solution is a yearlong process.”
Avivah Litan, a longtime financial technology analyst for Gartner, estimated that it would cost banks just under $1 per customer to clean up the mess, even though RSA had agreed to supply new tokens. That would amount to as much as $95 million in customer service, mailing and other costs — a tiny fraction of the roughly $29 billion in profit the banking industry earned in the first quarter of this year.
As a result, most bankers see the recent breach as an annoyance, not a major security threat. Ms. Litan said that most of the biggest banks would step up other fraud protection measures, like monitoring their Web sites and customer accounts for suspicious behavior.
Moving to a new token provider would be costly because it would require them to redesign their online-banking applications as well as help customers — typically high-net-worth customers they do not want to alarm — make the shift to a new system.
Still, to increase security, Ms. Litan predicted that more banks would instead turn to new fraud prevention technologies that have been gaining adoption recently.
Such technologies help banks make sure that customers’ PCs are malware-free, send text messages or call customers to confirm transactions, and use analytics to look for unusual behavior that might point to fraud.
But the blow to RSA’s reputation could hurt the company’s ability to win new business, she said. While RSA was once the safe, conservative choice, “now when people talk about them, they will always be associated with this breach,” Ms. Litan said.
Experts have speculated that the hackers obtained at least part of the RSA databases holding serial numbers and other critical data for the tens of millions of tokens. But to make use of the data stolen from RSA, security experts said, the hackers of Lockheed would also have needed the passwords of one or more users on the company’s network.
RSA has said that in its own breach, the hackers did this by sending “phishing” e-mails to small groups of employees, including one worker who opened an attachment that unleashed malicious software, enabling the hacker to obtain the worker’s passwords.
Lockheed has said it would keep using the SecurID tokens and would replace 45,000 of them. L-3 Communications, a military contractor in New York, is also still using the tokens.
The military industry officials said that even before the breach at RSA, Northrop Grumman, another giant military contractor, had begun shifting from SecurID tokens to smart cards. The Pentagon also uses the smart cards, and other military contractors are accelerating plans to switch to them as well, the officials said.
Indeed, analysts say rivals like Vasco Data Security, Symantec, VeriSign and dozens of small security vendors are circling. On Tuesday, PhoneFactor, which offers a phone-based password service to hundreds of companies, offered live Webcasts and a rebate to companies that wanted to switch.
“Since the Lockheed story, it’s been crazier than ever,” said Steve Dispensa, the chief technology officer of PhoneFactor.
Reporting was contributed by Verne G. Kopytoff, Riva Richmond and Eric Dash.