RSA Faces Angry Users After Breach
By NELSON D. SCHWARTZ and CHRISTOPHER DREW
Published: June 7, 2011
The nation’s biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Security’s offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company.
Enlarge This Image
Tony Cenicola/The New York Times
An RSA Security SecurID device. The company made the admission on Monday that its SecurID tokens were vulnerable.
The company’s admission of the RSA tokens’ vulnerability on Monday was a shock to many customers because it came so long after a hacking attack on RSA in March and one on Lockheed Martin last month. The concern of customers and consultants over the way RSA, a unit of the tech giant EMC, communicated also raises the possibility that many customers will seek alternative solutions to safeguard remote access to their computer networks.
Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned to replace the tokens as soon as possible. The banks declined to say how many customers would be affected, although SAP said that most of its 50,000 employees used RSA’s tokens and that it was seeking to replace them all.
Defense industry officials said Tuesday that concerns about the tokens had prompted some of the nation’s largest military contractors to accelerate their plans to shift to computer smart cards and other emerging security technology.
The RSA tokens provide security by requiring users to enter a unique number generated by the token each time they connect to their networks.
Competitors eyeing the dominant market share of RSA are offering special deals like $5 rebates per token to customers that are considering a switch.
For now, however, the biggest worry for RSA is how to appease angry customers as well as mollify computer security consultants, who have been increasingly critical of how long it took the company to acknowledge the severity of the problem.
Industry officials said that Lockheed, the nation’s largest military contractor, made the security changes suggested by RSA after its attack in March. They included increased monitoring and addition of another password to its remote log-in process. Yet the hackers still got into Lockheed’s network, prompting security experts to say that the tokens themselves needed to be reprogrammed.
Arthur W. Coviello Jr., RSA’s executive chairman, made the offer in a letter posted on the company’s Web site on Monday. He said RSA was expanding the offer to companies other than military contractors, particularly those focused on protecting intellectual property and their corporate networks. He also said it was suggesting that banks use two additional RSA services to avert fraud in authenticating computer log-ins.
Mr. Coviello said in the letter that characteristics of the attack on RSA “indicated that the perpetrator’s most likely motive” was to steal security information that could be used to obtain military secrets and intellectual property. He said that RSA had worked with military companies to replace their tokens “on an accelerated timetable.”
Michael Gallant, an EMC spokesman, said, “We have not withheld any information that would adversely affect the security of our customers’ systems.”
“We provided very specific recommendations, we provided details of the attack, and we worked closely with customers to strengthen their overall security,” Mr. Gallant said.
The company’s admissions were too little, too late, industry experts said.
“They got pushed really hard by some of their customers, particularly in the financial services sector,” said Gary McGraw, chief technology officer for Cigital, a computer security consulting company based in Washington. “They came around, but they came around late.”
Mr. McGraw said that companies would be wise to replace RSA’s tokens and that some companies — banks, in particular — had done so. Like many people, he criticized RSA for failing to disclose the potential danger of the problem to its customers.
Until Monday, RSA said publicly and privately in meetings with customers that replacements were unnecessary, he said. “They shared their party line that everything is fine — pay no attention to the explosion in the corner,” Mr. McGraw said.
1 2 NEXT PAGE »
Reporting was contributed by Verne G. Kopytoff, Riva Richmond and Eric Dash.
AI
