before RSA even bought security dynamics ... there were comments that secureid represented a "systemic risk" (aka various failure scenarios propagate throughout the infrastructure)
Posted by Lynn Wheeler at June 7, 2011 11:57 AMa decade ago there were lots of programs to deploy ("something you have") smartcards as part of two-factor authentication ... requiring smartcard "readers". In the financial industry there were give-aways of (obsolute) serial-port smartcard readers that ran into enormous problems & support costs ... eventually tanking the programs and prompting rapidly spreading rumor that smartcards weren't practical (it really wasn't a smartcard problem but a serial-port smartcard reader issue). this helped with an upswing in secureid since it only required existing PC display & keyboard.
part of the issue was that only 5-6 years earlier, there were a number of financial industry presentations about moving consumer dial-up online banking to the internet. a major justification was the significant support costs related to supporting serial-port dial-up modems for proprietary dialup banking (moving to the internet effectively transfers all that responsibility to the ISP).
one of the issues was that in the short 5-6 year period ... apparently all the financial industry institutional knowledge regarding serial-port problems & support costs (whether modems or smartcard readers) was lost; ... a major requirement for USB was to eliminate lots of the serial-port issues.
Posted by Lynn Wheelere at June 7, 2011 01:17 PMExcept the goal isn't security as you well know, the goal is pass audits and security theater. The assorted community will blame the vendor (i.e. nobody get fired for buying Microsoft/Cisco/RSA), take the patch/fix, then move on with the same practice. Nothing changes except via generational attrition short of a game changer and a RSA/token breach isn't it.
Posted by Peter at June 7, 2011 02:13 PMAcknowledging that information taken from a hack of its IT systems in March had been used to breach Lockheed Martin computers, security products maker RSA said Monday it would replace SecurID multifactor authentication tokens for customers who typically protect intellectual property and corporate networks.
In an open letter from RSA Executive Chairman Arthur Coviello Jr. to SecurID customers posted on its website, the security unit of storage vendor EMC also offered to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions. ....
Posted by Turning a breach into a selling opportunity.... at June 8, 2011 05:06 PM