Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Banks Begin To Use RSA Keys

timothy posted more than 9 years ago | from the probably-a-patent-on-this-too dept.

Security 208

jnguy writes "According to the New York Times (free bacon required), banks are begining to look into using RSA keys for security. AOL has already begun offering its customers RSA keys at a premium price. Is this the future of security, and is it secure enough? How long before everyone needs to carry around 5 different RSA keys just to perform daily task?"

Sorry! There are no comments related to the filter you selected.

um (1)

NoGuffCheck (746638) | more than 9 years ago | (#11182673)

yes and no... mainly no.

Article not about "RSA Keys" -- Hardware token (1)

Commander Trollco (791924) | more than 9 years ago | (#11182816)

The article is really talking about using hardware tokens for extra security since the private data is stored on an external token and can't be stolen by viruses, phishing scams, or trojans. I don't even see RSA mentioned in the article -- there is an inset picture of an RSA SecurID but that's as close as it gets.

Idiotasses posting goatse links in posts/sigs (-1)

Anonymous Coward | more than 9 years ago | (#11182991)

Please cease in posting the fake links, is that necessary?

For those who don't want to register: (-1, Redundant)

bugbeak (711163) | more than 9 years ago | (#11182675)

For years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable. The devices, which are hand-held and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer. Some banks, like Wachovia of Charlotte, N.C., and Commerce Bancshares of Kansas City, Mo., already use these hardware tokens to identify employees and corporate customers, and say they are evaluating the technology for retail banking use. Others, like Fidelity Investments and Bank of America, are researching the matter. "Every single major bank is considering it," said James Van Dyke, principal and founder of Javelin Strategy and Research of Pleasanton, Calif., which advises financial services companies on payments and technology issues. Although there are drawbacks in terms of cost and convenience - as well as questions about what would happen if a customer lost the device or it were stolen - there is growing pressure from bank regulators to add safeguards of this type to online financial services. In a report last week, the Federal Deposit Insurance Corporation, which insures bank deposits, said that existing authentication systems were not secure enough and that an extra layer of security should be added to the sign-in process. "The financial services industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security," the F.D.I.C.'s report said. Two-factor authentication, which typically includes a memorized password and a hardware security device, "has the potential to eliminate, or significantly reduce, account hijacking," it said. To be sure, there are many ways to add the kind of security that the agency is seeking, and any number of technology vendors eager to supply products. The F.D.I.C. evaluated some possible alternatives, including smart cards, which are plastic cards with embedded microprocessor chips; biometrics, which identify people by their fingerprints, voice or physical characteristics; and shared secrets, in which a customer is asked a question that, in theory, only he or she could answer. But the system that has so far taken root in the market is the one that relies on number-changing hardware tokens, which have the shape and feel of the plastic security devices that people click to unlock their cars. Several large banks in Europe and Australia - including Credit Suisse, ABN Amro and Rabobank - already issue these tokens to customers, sometimes making them bear the cost of the device. In the United States in September, America Online introduced a program, AOL Passcode, that lets subscribers buy the keychain device for $9.95 and use it for authentication purposes, at a subscriber fee of $1.95 to $4.95 a month, depending on the number of screen names linked to it. Proponents of these devices are aware that they present other problems. Financial companies are concerned about making online banking less convenient and about adding fees for the hardware token. Customers with accounts at several institutions may wind up with an unwieldy number of tokens or swamp call centers with questions about the new systems. Several foreign banks have made the tokens mandatory for online customers. E*Trade, which is expected to be the first United States financial institution to introduce the program for retail customers, will make it optional and charge for the device. Joshua S. Levine, chief technology officer at E*Trade, said the technology seemed to provide the "comfort that most people want." And "when you have your money at stake," he said, "you really want to feel comfortable." E*Trade has been testing its program for the last two months, giving the devices free to 200 interested customers. So far, the tests have attracted customers with high incomes who conduct many transactions and tend to be knowledgeable about technology, Mr. Levine said. "Based on the feedback these customers have been giving us," he added, "we feel it will be very successful." A hardware token is only one way to increase security. At E*Trade, customers who want to conduct wire transfers must wait for a confirmation number to be sent to their cellphones or personal digital assistants, then enter that number to complete the transaction, Mr. Levine said. People who sign up for the E*Trade hardware tokens and lose them will have to call customer service to authenticate themselves, he said. U.S. Bancorp plans to try out a system involving hardware tokens that will be based on technology from VeriSign, the Internet security company. The bank declined to add details. The urgency surrounding the issue is linked to an increase in "phishing," the practice of sending fraudulent e-mail messages en masse to bait people into disclosing sensitive information. Newer scams involve "malware," which can install itself on a computer through e-mail or pop-up ads, detect when someone starts to use an online banking program or make a credit card payment, and then record the person's keystrokes and capture account details. The victims do not even have to do something foolhardy like giving away account numbers or passwords. "We're just seeing new stuff out there all the time," said Dave Jevans, chairman of the Anti-Phishing Working Group, a coalition of companies in financial services and information technology. But he added: "I don't think people need to be any more scared than going to an A.T.M. at nighttime. They need to be cautious; don't do silly things." People who run antivirus software on their home computers, who have installed firewalls to guard against incursions, and who take other security precautions need not worry so much about the proliferation of online threats, security experts say. But they add that these people are probably not in the majority. Some bankers say they are leery about rushing to install new systems that may not solve all the problems. Concerns over phishing have "provoked some of the government agencies to come up with simple solutions to very complex problems," said John Carlson, a former regulator with the Office of the Comptroller of the Currency who is now a senior director at BITS, the technology arm of the Financial Services Roundtable, a trade group. "Consumer acceptance and ease of use are huge issues," he said. At Wachovia, which offers both hardware tokens and digital certificates to corporate customers, Joanne Young, the wholesale business manager for e-commerce, says that the certificates are easier to use, although unlike the tokens, they are not portable from one machine to another. When she telecommutes, "I always have to find my hardware token on my computer at home," Ms. Young said. "My kids are always moving it on my desk."

Re:For those who don't want to register: (2, Insightful)

lordsilence (682367) | more than 9 years ago | (#11182691)

I'll rather register then read through this unformatted text ;) thanks anyhow.

Re:For those who don't want to register: (5, Interesting)

Xentropy (843502) | more than 9 years ago | (#11182827)

A better solution is to use the archive link, which doesn't require registration:

http://www.nytimes.com/2004/12/24/technology/24onl ine.html?ex=1261544400&en=7cc80182b7687ad9&ei=5090 &partner=rssuserland [nytimes.com]

(Link created by the NY Times Link Generator: http://nytimes.blogspace.com/genlink [blogspace.com] )

Re:For those who don't want to register: (1)

Joey Patterson (547891) | more than 9 years ago | (#11182694)

Or you could use (courtesy of BugMeNot [bugmenot.com] :

Account #1

Username: f6ckoff666
password: fuckoff

Chinese Supercomputers Crack Normal Passwords (0, Interesting)

Anonymous Coward | more than 9 years ago | (#11182711)

The reality is that the RSA key is a godsend for protecting your accounts. Many Americans are simply unaware of the fact that the Taiwanese [geocities.com] have essentially given all the key computer technologies to mainland China [phrusa.org] . Beijing can now assemble a supercomputer based solely on the technology from Acer, a Taiwanese company with major investments in mainland China. This supercomputer can easily crack the passwords of many accounts at your bank, brokerage, etc.

The RSA will help to protect Western bank/brokerage accounts from Chinese theft. That the majority of stolen credit card numbers end up in the hands of Chinese gangs, aided and abetted by Beijing, in Southeast Asia should surprise no one.

Re:Chinese Supercomputers Crack Normal Passwords (0)

Anonymous Coward | more than 9 years ago | (#11182801)

Most of what you just said is wrong, could you possibly be trying to spread a little AC FUD?

Put up or Shut up (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11182821)

I read the grandparent article, and I read your article. You article seems to be more FUD than than the grandparent article.

Which statement is false in the grandparent article? You declined to state. On the other hand, the web site for Taiwan contains links to several Western sources: "New York Times", "Los Angeles Times", etc. Are you claiming that these reputable newspapers are lying?

The fact of the matter is that the majority of Taiwanese companies have a subsidiary in mainland China. Almost the entire manufacturing division of Acer is located in mainland China. Have you ever heard of Beowulf? Beijing can quickly assemble a Beouwulf-class supercomputer from Taiwanese high-performance desktop computers manufactured entirely in Beijing.

Frankly, put up or SHUT UP.

Re:Put up or Shut up (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11183029)

Breaking News! Sources have just confirmed that local schools contain all the machinery necessary for creating a password cracking super computer!

Seriously though.. How would Russia be any different? Or any other industrialized nation? Or, hell, the local high school? Frankly, anyone can build at least a small scale super computer these days, and it's not hard at all to crack the kinds of passwords we're talking about here. Most of it can be done using ready-made software and requires almost no technical knowledge.

Parent needs to take a chill pill and quit blaming China for America's problems.

Re:Put up or Shut up (4, Insightful)

ScrewMaster (602015) | more than 9 years ago | (#11183042)

All of which is irrelevant. If China (or any other country) wants to get hold of a few hundred PCs to build a clustered supercomputer it's just not that difficult to do. Cripes, if Iraq can get hold of nuclear tech how hard can it be to buy a few commodity computers (or even high-end processors) on the open market? Why is this even a question?

I mean, sure, China has openly ripped off numerous technologies from a number of countries to bootstrap their high-tech economy, but to say that our banking industry is in danger specifically from China because they can (holy CPU chip, Batman!) build a Beowulf cluster is sort of ridiculous. China is a significant threat to the Western world, for a variety of reasons, but I'd say banking fraud is probably not one of the biggest ones. I'd be more concerned about Russia or Nigeria.

Re:Put up or Shut up (1)

athanis (241024) | more than 9 years ago | (#11183059)

Yes, many Taiwanese companies have a subsidiary in China. And as China steadily opens up, so will just about every other developed nation in the world! So? Are you claiming that China is going to build a beowulf cluster to crack all the passwords and take over the world? C'mon!

I think this attitude that China, by having access to computer hardware, is a major threat is downright crazy. The RSA keys aren't there are protect the West from China! That's the kind of FUD that is endangering the West itself.

Further, i do not argue that the 'reputable' news sources you mentioned are reputable. But that's just what they are: reputable. Don't take everything you read as the gospel, there are ALWAYS biases and opinions in any news media.

People, wake up! This isn't the 70's and hell, if anything, I'm feeling that the the States is becoming more and more commie and that China, OTOH, is running towards a more capitalistic economy!

Re:Chinese Supercomputers Crack Normal Passwords (4, Insightful)

RzUpAnmsCwrds (262647) | more than 9 years ago | (#11183147)

"The reality is that the RSA key is a godsend for protecting your accounts. Many Americans are simply unaware of the fact that the Taiwanese have essentially given all the key computer technologies to mainland China. Beijing can now assemble a supercomputer based solely on the technology from Acer, a Taiwanese company with major investments in mainland China. This supercomputer can easily crack the passwords of many accounts at your bank, brokerage, etc.
The RSA will help to protect Western bank/brokerage accounts from Chinese theft. That the majority of stolen credit card numbers end up in the hands of Chinese gangs, aided and abetted by Beijing, in Southeast Asia should surprise no one."

Nice troll. The fact is that the Chinese, as well as *the rest of the world* have had access to computer technology equivilent to that which exists in the US for *years*. There's nothing new.

Moreover, you don't use a "supercomputer" to crack bank accounts. The fact is, you can't brute force the passwords on bank accounts unless you are able to steal the password hashes - and by then you've already broken the system.

Bank accounts are being stolen using phishing, not supercomputers.

Re:For those who don't want to register: (0)

Anonymous Coward | more than 9 years ago | (#11182778)

and for those who want a headache

MOD PARENT DOWN!

Heh? This is old news (4, Informative)

zxSpectrum (129457) | more than 9 years ago | (#11182677)

I'm rather surprised: Several Norwegian banks have been using these RSA Hardware Tokens for a couple of years.

Re:Heh? This is old news (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11182700)

I agree, this is old news. Banks here in Canada have been using them for several years aswell. But obviously if it is new in the united states then it is "news".
Hardly worth mentioning.

Re:Heh? This is old news (0)

Anonymous Coward | more than 9 years ago | (#11182789)

In Korea news is only for old people.

Re:Heh? This is old news (2, Informative)

EvilIdler (21087) | more than 9 years ago | (#11183170)

Not just a couple - I had it *eight years* ago with Storebrand..

Banks are the problem (3, Interesting)

Anonymous Coward | more than 9 years ago | (#11182678)

Ever read your bank's privacy statement? They pretty much share your personal info to every 3rd party out there. Not to mention they offshore data management overseas.

Re:Banks are the problem (0)

Anonymous Coward | more than 9 years ago | (#11182861)

Not to mention they offshore data management overseas.
Whew, what a relief! Here I thought they were offshoring data management domestically, right here on our own land!

Re:Banks are the problem (4, Informative)

Obiwan Kenobi (32807) | more than 9 years ago | (#11183072)

I call FUD. I've worked in banks (and credit unions) as a network admin for over six years, and that is some bullshit.

Now, understand that banks will use your information any way they can in-house, manipulate numbers and deposit totals and anything else analytical so they can sell a credit card or a loan (its called cross-selling). But what they cannot do is give your information to other 3rd parties without your direct consent unless its under federal mandate and/or decree (read: court order and/or the Patriot act).

Now this is all fine and good, but when you do something substantial with your money and/or your financial outlook (say, investing or buying a home), you open up yourself to offers from 3rd parties. You sign a document saying so.

Now the easiest thing is, before you sign something, ask them which companies are going to be behind this new venture. Whether it be an investing house (a lot of banks will farm out investing to a subsidiary and get kickbacks on it) or mortgages (who owns this loan? Can they sell it to a 3rd party mortgage company at a later date?), you need to simply be aware.

Feel free to google "Bank Privacy" and read up on the hometown banks and the big boys: They all pretty much say the same thing. If they are under FDIC (for banks) or NCUA (for credit unions), they all fall under the same guidelines: Your information cannot be shared unless you say so. The federal privacy statements which are mandatory to be handed out upon opening an account, etc, say the same thing.

Offshore data management services is simply a scarier way of saying Disaster Recovery. You want your bank to keep running even if the home office (or data center) explodes, right? Then don't start bitching about them backing up data in different places.

Re:Banks are the problem (0)

Anonymous Coward | more than 9 years ago | (#11183174)

Do you really call FUD?

How often?

Is the FUD number premium rate??

Eggs in a basket? (1)

The Islamic Fundamen (728413) | more than 9 years ago | (#11182682)

Should we be putting all of our eggs in one basket, as just investing into security keys to make us more or less secure? Even if we have one method of intrusion covered and sealed completley, their are more still open.

GnuPG? (0)

Anonymous Coward | more than 9 years ago | (#11182687)

Offering keys at a premium price? I can do gpg --gen-keys by myself, it's free!

Article not about "RSA Keys" -- Hardware tokens (5, Informative)

Steven Reddie (237450) | more than 9 years ago | (#11182688)

The article is really talking about using hardware tokens for extra security since the private data is stored on an external token and can't be stolen by viruses, trojans, or phishing scams. I don't even see RSA mentioned in the article -- there is an inset picture of an RSA SecurID but that's as close as it gets.

What did you expect? (3, Funny)

ravenspear (756059) | more than 9 years ago | (#11182765)

That the /. summary would actually reflect the same interpretation, or dare I say it, even the factual content of the article.

You must be new here.

Re:Article not about "RSA Keys" -- Hardware tokens (4, Informative)

HotNeedleOfInquiry (598897) | more than 9 years ago | (#11182857)

Wells Fargo issues the RSA SecurID devices for security. Not a test, not a trial, My wife and I each have one.

Thumb drives (3, Interesting)

Huogo (544272) | more than 9 years ago | (#11182690)

This is the perfect use for a thumb drive, so long as the computer you're using can be trusted. I can see a problem with people keeping all their keys on a thumb drive, and using it at a net cafe or something, but the computer at the cafe could be easily set to download the keys and key log the password to each set of keys. This can only be solved by something like an external device that will let you input a challenge code, and spit out a response code to gain access to the RSA key.

Re:Thumb drives (2, Informative)

jdhutchins (559010) | more than 9 years ago | (#11182718)

That's what I initally thought, but the article talks about a different kind of RSA "key". The article is about the hardware things that show a number that changes every 15sec or so, and you need that number to log in. The summary title is misleading (suprise suprise)

Re:Thumb drives (-1, Troll)

skinfitz (564041) | more than 9 years ago | (#11182726)

...so long as the computer you're using can be trusted.

Well that rules out Windows then.

Re:Thumb drives (3, Interesting)

dustman (34626) | more than 9 years ago | (#11182884)

This is the perfect use for a thumb drive, so long as the computer you're using can be trusted.

Although the article talks about a different technology, one of the core features of the technology you are talking about is that the computer does not, in fact, need to be trusted.

Basically, the computer asks the hardware device to encrypt or decrypt some data. The device stores the key internally and never reveals it.

It is a core concept of devices such as this that it is impossible to retrieve the key. The chips are designed such that they never reveal the key through the "official" interface (the encode/decode thing), and they're made so that taking the chip apart destroys the key.

Re:Thumb drives (1)

rzebram (828885) | more than 9 years ago | (#11182894)

So you mean a thumb drive to plug in to your thumb drive in order to gain access to your RSA key?

Re:Thumb drives (1)

John Harrison (223649) | more than 9 years ago | (#11183137)

It is an even better application for smart cards. You need a $3 card and a $10 reader. And unlike a USB key it is meant to be quickly inserted and removed without any problems.

Re:Thumb drives (1, Funny)

Anonymous Coward | more than 9 years ago | (#11183218)

Its all about the RSA, the DSA, Ol Dirty Bastard, Inspectah Deck, Raekwon the Chef
U-God, Ghost Face Killer and the Method Man.

This is news? (5, Informative)

Nehle (784297) | more than 9 years ago | (#11182693)

My bank (SEB, www.seb.se) has been using a hardware token system for years. I click the sign in button, enter my birthdate, receive two four-digit numbers, start the little device, enter my password and the two numbers and get a six-digit number that I enter in the login page and then I get logged in.
Is this somehow different?

Oh, and by the way, works like a charm and I feel a lot more secure than I do with static passwords

Yes, it IS different... (4, Interesting)

wcdw (179126) | more than 9 years ago | (#11182745)

This sounds like SecureID cards, which are time-synched to a master server which runs the same algorithm/seed. SecureID has a long history in the IT world, and works relatively well (and, as far as I know, no one has ever hacked the algorithm).

Sounds like your device just calculates a response based on two inputs; don't know why that wouldn't be just as easy in software. (You _can't_ turn a SecureID card off, so it can't get out of synch with the server, unlike software.)

Not to say that your device isn't secure - more reverse engineering would be required to determine that - but the two approaches *are* very different.

Re:Yes, it IS different... (1)

Nehle (784297) | more than 9 years ago | (#11182849)

intrigued by your response I checked if this was the case.
It does, however, appear that the device is time-synched with the server, as entering the same keys at two different points in time gave two different answers.
So it appears this nothing is different then?

Re:Yes, it IS different... (1)

wcdw (179126) | more than 9 years ago | (#11183090)

Interesting.... It sounds like it is a similar approach, in any event. The SecureID cards 'randomly' change values (every 60 seconds?); you just type in whatever is currently on the screen.

I can't help but wonder if your device has a battery-backup for the clock, or otherwise how could it be time-synched, if you can turn it off? A possibility that occurs to me is something along the lines of the salt used for many Unix password schemes. The password can be encoded any one of a finite number of ways, resulting in a different encrypted value each time, but all tied back to the original input.

Re:Yes, it IS different... (4, Interesting)

wfberg (24378) | more than 9 years ago | (#11182864)


Sounds like your device just calculates a response based on two inputs; don't know why that wouldn't be just as easy in software. (You _can't_ turn a SecureID card off, so it can't get out of synch with the server, unlike software.)

Not to say that your device isn't secure - more reverse engineering would be required to determine that - but the two approaches *are* very different.


The approaches are different mostly in the way that securID can't do challenge/response. Note that most hardware tokens that can do challenge/response also use a hardware clock.

The immideately obvious benefit of challenge/response is that it offers far better protection against replay attacks - securID numbers are valid for 10 seconds, whereas a parallel login session using C/R will use a different challenge (in fact, the resolution is worse than 10 seconds since the server will usually accept the previous and next number as well, in order to resync to correct for clock drift).

Also, some e-banking authentication schemes require you to enter both a challenge AND the amount (or recipient's bankaccountnumber) you're transferring; this prevents malware on your PC (or a man-in-the-middle) altering the amount without you detecting it. This is obviously impossible to do with a non-C/R scheme like SecurID.

Example; when I add an account number to my e-banking site's address book, I'm asked for the response to a challenge that's clearly and human-readably derived from the bankaccount# (1 number is dropped) - so malware can't change the acount#s I add to my address book.

In my mind, even devices without a hardware clock that can do C/R are preferable to securID schemes that do have a clock but no C/R.

Also note that tokens that do C/R usually need to be unlocked with a PIN before use (they already come with a keypad, so why not?) - this means you get two-factor authentication basically for free, and the PIN only needs to be checked by the token itself, so it's not stored on the server, not even in a hashed form (which is trivial to brute force for 4/5 digit codes anyway).

While securID might be very well accepted in the IT world, and is easy to roll out, it's certainly not the most secure or well thought-out authentication method by a long shot. And they're damn expensive given how simple their design is! Just a clock and an LCD that shows the hash of the current_date/time_rounded_to_the_closest_10_second s and its secret key..

Re:Yes, it IS different... (3, Interesting)

dannyp (62358) | more than 9 years ago | (#11182980)

Most SecurID implementations will only authenticate a specific token code once within its validity window. A replay attack (even within the time validity window) will fail after the first good authentication.

There are still man-in-the-middle vulnerabilities, but no worse than with a challenge-response

Re:Yes, it IS different... (3, Interesting)

wcdw (179126) | more than 9 years ago | (#11183133)

One point I wanted to add is that although SecureID may be well accepted in the IT world, it is _NOT_ that easy to roll-out. Or wasn't, the last time I had to play games in that world, anyway; it HAS been a while.

Note that I never claimed that it was the most *secure* solution, and yes, the lack of challenge/response does limit it's usefulness.

However, if I can reverse engineer the bank's device and discover the algorithm in use, it becomes worse than useless, in that instills a false sense of security.

Strong passwords are still less hassle, don't sacrifice much to security concerns (if never expressed in clear text), and just aren't that freaking hard to create. Pre-shared keys are even better, depending on how strong they are, and how they're distributed. And how well keys are guarded/revoked-if-stolen. ;)

Re:Yes, it IS different... (0)

Anonymous Coward | more than 9 years ago | (#11182930)

The algorithm has been hacked - http://whitepapers.zdnet.co.uk/0,39025945,60023455 p-39000579q,00.htm [zdnet.co.uk] for a paper that gives some details. However, it's still of little use unless the hacker knows the serial number of the token in question and has access to the "secret" token data from the secureID server...

Re:Yes, it IS different... (1)

wcdw (179126) | more than 9 years ago | (#11183175)

Thanks for the link; I was actually not aware of even that much hacking done on those cards. It does seem a little limited, although I can envision some scenarios where it would be exploitable.

SEB uses VASCO SecureID tokens (3, Informative)

hanssprudel (323035) | more than 9 years ago | (#11183173)

Since this is already being moderated up, I want to note that poster is wrong.

The system that the grandparent describes is based on VASCO [vasco.com] "Digipass" devices, that work just like the RSA secureid tokens, only that they also support PINs and challenge/response authentication. That means that if everything is done correctly (which I can't swear to) these tokens, which SEB have been using for more than five years, are considerably more secure than the normal RSA SecureID.

Basically (very simplified) your normal SecureID will create a checksum from a secret and the current time, so the server can verify that person logging in is holding the token at this time. The Digipass, on the other hand, creates a checksum of the secret, the time, and the challenge from the server. This verifies that the person logging in has access to the token at this time, and created a checksum for this particular log in. And the fact that it also requires a personalized PIN to access the device means that stealing it will do you little good.

Re:SEB uses VASCO SecureID tokens (1)

wcdw (179126) | more than 9 years ago | (#11183214)

Well, frankly, it doesn't seem like it would be that hard to figure out how to dummy the PIN entry on the front end if one had the physical device in hand.

Then again, with the SecurID card, it's even easier. ;)

The only real problem I see is the 'if done right' part. Conceptually it's a better solution than SecurID (no surprise, the market does usually evolve). As far as actual USE goes, it seems a little less convenient.

(Note that I have successfully fought every effort to make me actually _carry_ a SecurID card, so that opinion is based mostly on anecdotal evidence. I *do* know that the SecurID cards *don't* always handle clock drift, despite the 'X previous key / Y future keys' settings on the server.)

Personally, I like the convenience of Firefox storing my passwords so I don't have to type them. If by some chance my firewall gets hacked, or my site gets burgled, it's easy enough to change/cancel them (unfortunately Linux doesn't really have any well-integrated file-system-based encryption, though I'm sure that will change).

Then too, who knows what encryption will look like in the world of quantum computing? The thought of having to carry a bunch of keychain devices to be able to access my accounts is annoying, at best. I don't WANT a bunch of crap clogging up my keyring. It's bad for the ignition switch on the car, and worse for the one on the bike....

House keys (5, Insightful)

tepples (727027) | more than 9 years ago | (#11182696)

How long before everyone needs to carry around 5 different RSA keys just to perform daily task?

How long before everyone needs to carry around 5 different physical keys? Let's see... we have the house key, the car key, the shed key, the bike key, the gun case key, the baseball card key...

Re:House keys (0)

Anonymous Coward | more than 9 years ago | (#11182713)

people work in jails carry lots of keys now and for a long time in the past too

Re:House keys - forgot one... (3, Funny)

AetherBurner (670629) | more than 9 years ago | (#11182795)

I have a church key that I carry too.

Re:House keys (0)

Anonymous Coward | more than 9 years ago | (#11182817)

That's your problem.

I have a key for my house and a key for my mailbox. That's all.

Re:House keys (0)

Anonymous Coward | more than 9 years ago | (#11182990)

That's why the RSA approach, while great for "the one important authentication you have", doesn't scale. Eventually you have to go to PKI.

Wall Street has used these things for over a decade. I once saw the (humorous and sad) situation (at a customer managing a LOT of money) of having a bunch of SecurID tokens (one per counterparty) taped to a monitor, each with the PIN scribbled on a Post-It :-)

In Soviet Russia keychain fobs YOU! (-1)

IO ERROR (128968) | more than 9 years ago | (#11182702)

Whoa [rsasecurity.com] , it's [eweek.com] SecurID [rsasecurity.com] on [pcworld.com] a [msn.com] keychain [accettura.com] !

What [infozine.com] will [epinions.com] they [cisco.com] think [dealtime.com] of [cybershopcentral.com] next [rednova.com] ?

Re:In Soviet Russia keychain fobs YOU! (-1)

DarkMantle (784415) | more than 9 years ago | (#11182952)

Well the oldest dated link is from February. That's still new (by /. standards). Although this link [infozine.com] seems to be dated 1999, still only 5 years. That's still new... right?...

Old News (2, Informative)

Ann Elk (668880) | more than 9 years ago | (#11182706)

Banks in Poland have been using physical security tokens for online access for a few years. Yawn...

Re:Old News (1, Funny)

Anonymous Coward | more than 9 years ago | (#11182836)

Don't forget Poland!

Re:Old News (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11183152)

Welcome to an American website, where nothing is real until it happens in USA, the best country at everything.

Re:Old News (0)

Anonymous Coward | more than 9 years ago | (#11183348)

Maybe the US just didn't really need it since it had a relatively low crime rate, and the fact that Poland had it for a while seems to follow that logic (I've heard a lot of lovely stories about the crime rates in Poland, I got mugged last time I visited).

If client can't be trusted, all bets are off! (4, Insightful)

Ron Bennett (14590) | more than 9 years ago | (#11182747)

At first glance, the external token as described in the article sounds secure, but since the person only types it in once per login, phishing really isn't that much more difficult than before.

Two ways off the top of my head a phisher can defeat this ...

1. Grab login data in real-time from an IRC channel, etc and race to login before the code changes - for extra measure, disable the user's connection for a little while - DoS, etc.

2. Proxy the request - that is don't try to steal the login data itself, but rather hijack their session and go to town.

Some may think, ok "check the person's ISP (IP range, etc) too" ... sounds like that would blow #1 away, but not if the phisher then logs in via the victims machine.

In a nutshell, if the client machine can't be trusted, all bets all off!

Yes, tokens raise the bar, but I fear banks will use this more as an excuse to erode consumer protections for fruadulent transactions; Verify by VISA comes to mind.

Ron

just need a physical digit wallet (3, Interesting)

emkman (467368) | more than 9 years ago | (#11182749)

If we are going the route of RSA keys, we need a secure digital wallet, where one key contains all the credit cards and bank info we need. This will keep all the info just as secure but we wont need a billion different keys for all our different accounts.

Re:just need a physical digit wallet (1)

kzh (662144) | more than 9 years ago | (#11182997)

How secure is your current wallet with your personal details? It is quite interesting to note that we get overzealous when considering all things digital - yet our current methods of security and identification involve a photograph on laminated cards (in the case of drivers' licences). With the advent of digital identification and such, we do need to take more care in the way in which we implement the technology - as due to the global nature of IT, certain security measures become easier to cirucumvent and automise. However, we don't want to go overboard and have to remember the compramise we must make between ease of use and security.

If you don't know what RSA is... (0, Offtopic)

JaF893 (745419) | more than 9 years ago | (#11182758)

Check out this Wikpedia [wikipedia.org] article.

Re:If you don't know what RSA is... (0)

v3rgEz (125380) | more than 9 years ago | (#11182855)

And if you don't know what wikipedia is, try http://en.wikipedia.org/wiki/Wikipedia [wikipedia.org] .
For Christ's sake, if I did a dictionary search for a word to define it for people not creative/intelligent enough to look it up, I'd be modded down almost as much as I'm going to for harassing this poor fool who wiki'd the definition for "RSA."

People can do a search of their own favorite online dictionary, let's stop walking them through it.

Re:If you don't know what RSA is... (0)

Anonymous Coward | more than 9 years ago | (#11183279)

This is actually not correct. The Wikipedia entry is on the RSA crypto algorithm.

The article is referring to the old SecurID hardware token used for authentication.

Not surprised... (4, Interesting)

4alexnyc (826658) | more than 9 years ago | (#11182764)

Considering most of my friends in corporations already use these devices to get access to the corporate network, I'm not surprised they're looking to bring it to the general public. I is highly effective.

To answer the 5 tokens keychain question: there is a software token device also available: http://www.rsasecurity.com/node.asp?id=1313/ [rsasecurity.com]

I suppose this doesnt surprise me.. (2, Interesting)

doormat (63648) | more than 9 years ago | (#11182773)

I use an 8 digit PIN and a RSA hardware token to log into work remotely.

Carry around 5 keys (3, Insightful)

gspr (602968) | more than 9 years ago | (#11182779)

How long before everyone needs to carry around 5 different RSA keys just to perform daily task?

It's not like a million keys are harder to carry around than one...

Re:Carry around 5 keys (1)

irc.goatse.cx troll (593289) | more than 9 years ago | (#11182862)

You do realise we're talking about a device that generates a number in sync with the server, and not a simple ascii file, right?

This [rsasecurity.com] , not this [sourceforge.net] . (or this [epa.gov] )

Carry around 5 keys-DNA. (0)

Anonymous Coward | more than 9 years ago | (#11182875)

I carry around DNA. That's all the key I need.

Re:Carry around 5 keys-DNA. (0)

Anonymous Coward | more than 9 years ago | (#11183119)

I carry around DNA. That's all the key I need.

You better hope nobody decodes and copies your DNA. You'll be pwned for life.

This is new? (4, Informative)

wfberg (24378) | more than 9 years ago | (#11182781)

I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).

In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).

Most devices are from Vasco [vasco.com] who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.

How long (1)

bob65 (590395) | more than 9 years ago | (#11182786)

How long before someone finds a fast way of factoring large numbers and we're all screwed?

full text (nicely formatted) (0)

Anonymous Coward | more than 9 years ago | (#11182787)

A hardware token is only one way to increase security. At E*Trade, customers who want to conduct wire transfers must wait for a confirmation number to be sent to their cellphones or personal digital assistants, then enter that number to complete the transaction, Mr. Levine said.

People who sign up for the E*Trade hardware tokens and lose them will have to call customer service to authenticate themselves, he said.

U.S. Bancorp plans to try out a system involving hardware tokens that will be based on technology from VeriSign, the Internet security company. The bank declined to add details.

The urgency surrounding the issue is linked to an increase in "phishing," the practice of sending fraudulent e-mail messages en masse to bait people into disclosing sensitive information. Newer scams involve "malware," which can install itself on a computer through e-mail or pop-up ads, detect when someone starts to use an online banking program or make a credit card payment, and then record the person's keystrokes and capture account details. The victims do not even have to do something foolhardy like giving away account numbers or passwords.

"We're just seeing new stuff out there all the time," said Dave Jevans, chairman of the Anti-Phishing Working Group, a coalition of companies in financial services and information technology. But he added: "I don't think people need to be any more scared than going to an A.T.M. at nighttime. They need to be cautious; don't do silly things."

People who run antivirus software on their home computers, who have installed firewalls to guard against incursions, and who take other security precautions need not worry so much about the proliferation of online threats, security experts say. But they add that these people are probably not in the majority.

Some bankers say they are leery about rushing to install new systems that may not solve all the problems. Concerns over phishing have "provoked some of the government agencies to come up with simple solutions to very complex problems," said John Carlson, a former regulator with the Office of the Comptroller of the Currency who is now a senior director at BITS, the technology arm of the Financial Services Roundtable, a trade group.

"Consumer acceptance and ease of use are huge issues," he said.

At Wachovia, which offers both hardware tokens and digital certificates to corporate customers, Joanne Young, the wholesale business manager for e-commerce, says that the certificates are easier to use, although unlike the tokens, they are not portable from one machine to another. When she telecommutes, "I always have to find my hardware token on my computer at home," Ms. Young said. "My kids are always moving it on my desk."

We should be careful of this.... (2, Interesting)

I kan Spl (614759) | more than 9 years ago | (#11182796)

Putting all of one's eggs into the same basket of crypto is probably a bad idea. If banks all adopt RSA as a standerd way of doing logins at ATM's and or online then there will be a major upheval if anyone cracks RSA.

RSA is based on the idea that prime numbers are very hard to find, and with some of the research that is currentl going into that field I would be very wary of using that idea as an end-all.

If banks are to adopt a universal crypto system, then perhaps AES or some form of elliptic curve crypto would be a better choice?

Re:We should be careful of this.... (0)

Anonymous Coward | more than 9 years ago | (#11182830)

RSA is based on the idea that prime numbers are very hard to find

I'm not trying to be picky, but actually that's not the problem; rather, it's factoring the product of two large prime numbers. I'm no math wizard, but this seems to be something that eventually won't be hard to do (as computers speed up and algorithms improve).

Re:We should be careful of this.... (2, Insightful)

sparklehackery (802490) | more than 9 years ago | (#11182893)

I'm no math wizard, but this seems to be something that eventually won't be hard to do

no kidding.

Re:We should be careful of this.... (1)

TedCheshireAcad (311748) | more than 9 years ago | (#11183266)

Perhaps, but probably not in our lifetimes. This is the holy grail [wolfram.com] of modern mathematics.

Re:We should be careful of this.... (2, Informative)

bobbuck (675253) | more than 9 years ago | (#11183036)

Just one problem. As computers get bigger they can check more keys. But a MUCH smaller match in computer power can make the keys so much bigger. Compare a 40bit key vs 80bit key. Bob and Alice's computer has to do twice as much work at 80bits. Eve-the-evesdropper's computer has to do 2^40 times as much work. (I know this is not techincally correct but it's the same idea.)

People have been trying to factor large numbers for a long time, and it's a difficult problem.

Merry Christmas! (or as they say at the NSA: qp93eywufaldksvnh)

OT: What happened to searching slashdot? (0, Offtopic)

SteeldrivingJon (842919) | more than 9 years ago | (#11182833)


The slashdot search page is gone. All that's available is the kinda useless Google search field at the bottom of the page.

What's the deal?

Re:OT: What happened to searching slashdot? (1)

SpaceLifeForm (228190) | more than 9 years ago | (#11183162)

Obviously re-working the pages. Your tilde link is no longer on the main page either.

What the world is coming to? (1)

melted (227442) | more than 9 years ago | (#11182844)

Next thing you know - they'll start using the "internets"!

You don't need multiple tokens!! (1)

initsix (86050) | more than 9 years ago | (#11182848)

Anyone else that does RSA Ace administration can confirm this for me, but you should be able to use the same RSA token for multiple accounts. That means ONE token for access to your bank, credit union, online stock broker, whatever.
RSA tokens come with accompanying software (or a key) which is used to import the token to the ACE authentication server. With that software you can load one token into multiple RSA servers. With a token and its software, you could send your accompanying token software to Bank A and to Bank B, they load your RSA token and you can then use the same token to authenticate to both accounts. As an added measure of security, the usernames do not have to be the same, nor does the accompanying PIN for each account.
The software I use now for importation imports batches of Ace tokens that we distribute to customers, but I am sure it wouldn't be difficult to supply one "key" per token.
I have steadily been seeing more and more phishing schemes in my email and they look more and more legit every day. Two factor authentication needs to be implemented soon before more and more people lose their money to scammers.
I would be more than happy to pay $50-$100 for a token and software that I could use to authenticate to all my online financial services.

Re:You don't need multiple tokens!! (3, Interesting)

confusion (14388) | more than 9 years ago | (#11183215)

I admin'd an ace server for a long time, in an org that had multiple groups running them. It is true that you can use an RSA token on many ace domains - buuut the problem is largely organizational. Even within the same company, it was sometimes hard to get the seed files back and forth.

Each customer will need to provide their seed file to each new back. *IF* banks were able to settle on all using the same technology (RSA/ACE), most certainly all of them would have different policies on pins, etc, rendering it a pretty confusing thing for customers. Don't underestimate the problems that would cause.

Jerry
http://www.syslog.org/ [syslog.org]

Argh... please make the distinction (2, Informative)

kaedemichi255 (834073) | more than 9 years ago | (#11182876)

The distinction really should be made between RSA encryption keys used for crytopgrahic algorithms, and RSA SecureID Tokens, which are what this news item is referring to, but are different from the public/private encryption keys!

Customers expected to pay? (5, Insightful)

Xentropy (843502) | more than 9 years ago | (#11182891)

I'm willing to admit up-front that being the victim of a security breach or some kind of fraud is distressing to the customer, but given the fact most banks (and certainly any bank I would do business with) have zero liability fraud policies nowadays, the only party for whom such a device would be saving money is the bank.

Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general), but isn't the net effect of this type of technology supposed to be a savings? Isn't it the bank's responsibility (and liability) to make sure their customers' accounts are secure (assuming a reasonable amount of due diligence by said customers)? Isn't the savings in reduced fraud and security breaches supposed to outweigh the cost of the security devices? If not, why does the technology exist?

It sounds great and all, but unless offered as a free service, I'll sit this one out.

Customers expected to pay?-Recursive. (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11182924)

"Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general)"

And this mystery group that will be paying the fees is?

Re:Customers expected to pay? (0)

Anonymous Coward | more than 9 years ago | (#11183160)

Therefore, why are customers expected to pay $10 for these?

Same reason they pay for cheques.

Seemless (0)

Anonymous Coward | more than 9 years ago | (#11182903)

I think the future will be programs that seemlessly encrypt and digitally sign everything without anybody having to know or care. We can see this in SSL. Really, manually encrypting and having to use RSA and PGP keys will never catch on with the general populace.

Mmmmm RSA (1)

mg2 (823681) | more than 9 years ago | (#11182916)

As long as I don't have to memorize three RSA keys, I don't really care how many I have to use throughout the day -- give me a usb token or give me death.

Sweeden uses a similar token system (3, Interesting)

ScottMacVicar (751480) | more than 9 years ago | (#11182941)

A friend who is studying in sweeden at the moment has basically a scratch card with 40 numbers on it, when she goes to login she enters her username, password and then scratches off a panel to get a 8 digit numeric token to enter.
When she has used about 30/40 the bank send out a new card.

Its a whole lot cheaper than handing out SecureID devices to customers and i'm really suprised that most banks dont have this already, its the size of a credit card and fits nicely in a wallet.

Re:Sweeden uses a similar token system (2, Informative)

pekkak (840639) | more than 9 years ago | (#11183054)

It's the same in Finland. I have a card with about 100 disposable passwords and when I have used most of the passes the bank sends me a new card. In my opinion this is a lot more secure method than the permanent password scheme employed by many American banks. No offense, but as can be seen from the many comments posted here already, the US banking system is not exactly the state of the art. I mean, US still uses paper checks which I find astonishing. There must be incredible amounts of work and thus expenses involved in handling all those checks.

re: (0)

Anonymous Coward | more than 9 years ago | (#11182967)

I wonder why NY Times has not companied to Slashdot about the blatant copying of materials from their site.

Secondly, why the mods here continue to give points to people who do.

Re: Why the mods give points to NYT ripoffs (0, Offtopic)

wcdw (179126) | more than 9 years ago | (#11183226)

Well, duh. Because most of us don't WANT to have to contribute our DNA just to read the freaking article.

For CC charges too (2, Insightful)

The Cisco Kid (31490) | more than 9 years ago | (#11182977)

If they *DONT* protect credit(/debit) card charges with this, its somewhat useless, since thats the simplest way for someone to suck the money out of someones account.

If they do require charges to a credit card to be authorized by the SecureID card, it not only protects against outright stealing, but also prevents a merchant from saving your CC# and automatically rebilling you without your permission unless you jump thru their hoops to 'cancel' somne service - their only recourse is to terminate the service, which is as it should be.

RSA keys for AOL members (1)

PFritz21 (766949) | more than 9 years ago | (#11183023)

Does AOL also sell their members' RSA keys to spammers and the ilk?

7h3 12 d4yz 0f X-M45 (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11183024)

7h3 12 d4yz 0f X-M45

0n +h3 7w3|f7h d@y 0f #ri57m@5, my h4x0r sent to me,
12 g4m3rz pwn3!ng
11 w@r3z 1n57411!ng
10 53rv3rz 4-pr0> 9 +0rr3n75 d0wn104d!ng
8 r0mz @-3mu147!ng
7 l4m3rz ^-b10gg!ng
6 g33k5 4-cr4ck3!ng
5 p1r@+3d 4ppz
4 W!nd0wz 5p1()!tz
3 DoS 4774ckz
2 pr0n p455w0rd2
and a n00b 2 ph34r meh

Yay! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11183053)

First post again! Yee-hawwwww!

SecurID (1)

streak (23336) | more than 9 years ago | (#11183080)

I personally have an RSA SecurID that I use for work and I love it. I think its a really great system and it meets our authentication needs. In case you aren't familiar (or haven't read other posts), SecurID is a fob that can put on your keychain that lasts I think 5 or so years and gives you a new 6 digit token each minute. This combined with your own passphrase authenticates.

The fob uses time-based encryption against the auth server so that it knows at a given point in time what the 6 digit number should be.

Frustrating.... (1)

confusion (14388) | more than 9 years ago | (#11183232)

It seems like most of the rest of the civilized world has already adopted hardware tokens of some sort for online banking security, but here in the good ole USA, we're yet again behind the times.

My fear is that each bank would adopt a different technology to implement this, and I would be keeping track of 7 different tokens right now. OTOH, that is not a bad price to pay for better security of my money and lower fees, etc. on my bank accounts.

The reality is that, depite the big inconvenience, US banking customers who are victimized aren't feeling a lot of pain. Banks here are priding themselves on how quickly they restore your money if someone wipes out your account. As such, there isn't a big demand from customers for a higher level of security, so the inconvenience caused by moving to a token-based system will likely not be very successful, unless something changes.

Jerry http://www.syslog.org/ [syslog.org]

Solution to multiple tokens... (1)

rdunnell (313839) | more than 9 years ago | (#11183286)

This is really why they are pushing federated identity so hard in various circles.

The solutions to multiple tokens are either to use a federated identity scheme where authentication may come from a business partner but authorization comes from your own systems (MS Passport, Liberty Alliance, etc) or to put certificates on smart cards that you already might have (e.g. a EMV chip card that also stores "money") so that having many tokens is not really a problem. It's possible that you could do both - have federated identity with smart card tokens. This will probably happen someday.

The former is probably a huge challenge in the area of contracts, working agreements, protocols, etc etc etc. but it's being pursued because it's a good idea and would ultimately be worth the challenge. The latter is pretty easy except in USA where smart cards are not so prevalent. I guess contactless chip (RFID) could work for this purpose though...

For the tin foil hat crowd, please note that "federated" does not mean "federal." Although it's perfectly conceivable that the government could provide this authentication service to its citizens/wards (and some countries probably already do), it probably wouldn't happen in the USA for various reasons IMO.

SecurID vs. Smart Cards (1)

tji (74570) | more than 9 years ago | (#11183324)

"RSA keys" in the title is a bit misleading.. It makes it sounds like a full crypto implementation, using smart cards and all the capabilities that implies. Confusing the RSA crypto algorithm, with the SecurID card, a product made by the company RSA.

SecurID is just a clunky authentication system using a hardware token to display numbers used for the authentication (although, they do also offer software tokens. there is nothing magical about the hardware)

Why not go to a modern smart card system? It can store full certificates, and tie directly into really strong security/crypto. Tie the smart card / cert into the autentication of your system, and into IPSec, SSL, etc.

SecurID offers only the authentication piece, based on a completely closed algorithm.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?