On March 17, 2011, RSA Executive Chairman Art Coviello made a public announcement that cyber criminals had penetrated internal systems at RSA, and the resulting data breach could compromise the authentication capabilities of their SecurID authentication tokens. SecurID tokens are used by tens of millions of users to securely log into online banking and enterprise networks over the Internet. RSA is the security division of EMC, Inc.
IronKey today announced that their Trusted Access for Banking product is immediately available to allow banks to protect their commercial banking customers from the risk of compromised RSA SecurID authentication tokens.
“Criminals used an Advanced Persistent Threat (APT) attack to breach the RSA SecurID infrastructure, and can now combine that information with data-stealing malware in order to compromise high value online banking sites,” said Dave Jevans, IronKey’s founder and chairman. “IronKey is already working with banks impacted by the RSA SecurID data breach in order to protect their customers. Banks that are using IronKey Trusted Access for Banking in combination with RSA SecurID can be reassured that their online banking users are kept safe from criminals involved in this massive breach. For banks that need immediate protection, Trusted Access can be deployed to their clients immediately, and does not require modification to back-end banking websites.”
While law enforcement continues to investigate the breach at RSA, the incident threatens the integrity of bank payment services, enterprise remote access and government systems. It is the focus of ongoing efforts by the U.S. Treasury, FS-ISAC, and other industry bodies tasked with securing global financial services. The most likely scenario proposed by industry experts is that the secret codes, also known as seeds, used to generate one-time passcodes have been compromised or stolen, potentially allowing RSA SecurID authentication to be performed without a genuine token. RSA states “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” To do this, criminals must match their stolen data with real user identities.
Criminals will likely turn to crimeware such as ZeuS and SpyEye to infect the computers of online banking users. These toolkits allow rapid development and distribution of Trojans that can match users to SecurID tokens and capture the additional information needed to successfully takeover online accounts and steal money. Additional data required by criminals include sample one-time passcodes generated by an RSA SecurID device or software token, authentication PINs, and private challenge answers only known to users. Crimeware toolkit attacks likely to be used include:
• Man-in-browser attack: By modifying browser executables and shared libraries, criminals can present users with fake web pages and requests for information such as one-time password codes entry and private challenge answers;
• Keylogging: Capture of keystrokes including one-time passcodes, authentication PINs, and other personally identified information;
• Network monitoring: Listening for user access to specific online banking sites to activate attacks and filter for only relevant banking information;
• DNS tampering: Modification of computer network settings to redirect users to realistic but fake banking sites used to capture credentials.
Aware of the potential for compromise to online banking accounts requiring RSA SecurID authentication, RSA (rsa.com) has recommended customers strengthen the security of SecurID deployments. These suggestions include use of strong passwords/PINs in combination with one-time passcodes, closely monitor user databases that could link users with tokens, and reiterate anti-fraud education. While best practice security recommendations, these methods have and can easily again be compromised using the malware toolkits and attacks described earlier.
IronKey Trusted Access for Banking allows banks to continue using their existing SecurID deployments and banking applications without enabling criminals to make use of the stolen RSA data. IronKey designed Trusted Access for Banking to isolate online banking users from APT attacks using toolkits such as ZeuS and SpyEye rather than trying to detect them.
Specifically, Trusted Access addresses these likely attacks:
• Man-in-browser attack: Trusted Access isolates users from malware by running in a fully virtualized OS environment, does not depend on desktop browsers, and runs from a write-protected USB security device;
• Keylogging: Protects keyboard input, including one-time passcodes, authentication PINs, and challenge questions, from keylogging software;
• Network monitoring: Encrypts all network access through a secure tunnel so Trojans are unable to monitor DNS lookups and website access to indentify online banking activity;
• DNS tampering: Provides authoritative DNS lookups that are not dependent on local network or ISP settings and are delivered through an encrypted tunnel.
In addition to immediately strengthening an RSA SecurID deployment, Trusted Access also allows banks to address current and draft industry guidelines. Trusted Access allows banks to provide a dedicated online banking experience as recommended by NACHA and the FBI.1 As well, draft FFIEC guidance that updates 2005 online banking authentication guidelines recognizes that a USB device that securely connects users to online banking is a relevant multi-layer security control to prevent fraud.2
IronKey Trusted Access for Banking is available immediately worldwide. With Trusted Access for Banking, users simply connect their Trusted Access USB device to their computer to automatically launch a protected, virtualized online banking environment. The Trusted Access Browser starts at the bank’s home page and restricts users to only navigate to bank-authorized websites. To protect users from ever-changing malware, Trusted Access for Banking does not rely on potentially compromised and vulnerable applications on the user’s host computer. Instead, a secure, encrypted connection to online banking is made through the IronKey Trusted Network to lock out man-in-the-middle and DNS attacks. Advanced encrypted keyboard input protects users from keyloggers that can steal user names and passwords.
1National Automated Clearinghouse Association (NACHA)
2Federal Financial Institutions Examination Council (FFIEC)
“Protecting Online Banking Customers from Evolving Cyber Crime Threats,” a 20-minute online webcast from IronKey, can help you understand the risks facing anyone using a PC for online banking and why anti-virus software and firewalls and other conventional safeguards are not able to stop these attacks. The webcast explains the latest bank phishing attacks, the ZeuS Trojan and SpyEye, the "mule" economy and dozens of other topics relevant to understanding and fighting this serious crime wave.
“Trusted Access Guided Demonstration” provides a complete product demonstration and example attacks. Presented by Kapil Raina, senior product manager at IronKey, the demonstration also shows how banks can easily issue and managed Trusted Access.
Ranked as the 14th best venture-funded startup in The Wall Street Journal's "Next Big Thing 2011" survey, IronKey secures data and online access for individuals, enterprises, and governments. IronKey solutions protect remote workers from the threats of data loss, compromise of passwords, and computers infected by malicious software and crimeware. IronKey multi-function devices connect to a computer's USB port and are easy to manage with the IronKey management service. This allows users to securely carry sensitive corporate data, strongly authenticate to VPNs and corporate networks and isolate online banking customers from Advanced Persistent Threat attacks. IronKey customers include Fortune 500 companies, healthcare providers, financial institutions and government agencies around the world. Trusted Access for Banking has also won numerous awards such as ‘FutureNow 2010 Top 5’ from Bank Technology News. Visit IronKey.com for more information.