Share

Related Stories

  • Researchers say they have cracked security tokens
    A group of researchers are claiming that they have successfully exploited cryptographic flaws in security tokens that enable attackers to extract keys from them
  • Top national security official pins RSA breach on China
    The US government has evidence that Chinese hackers were responsible for the breach of RSA last year that compromised the company’s “underlying software” and required the replacement of hundreds of SecurID tokens, a top national security official told Congress this week.
  • Missing authentication token leads to security breach for a quarter of firms
    Close to a quarter of UK organizations have suffered a security breach as a result of identity fraud linked to a lost or stolen authentication device, according to an Entrust survey.
  • RSA: Life After Breach
    With the RSA security breach still fresh in the minds of information security practitioners across the world, you’d be forgiven for assuming that the heyday for token-based ID is long gone. Stephen Pritchard investigates the advantages and disadvantages of token-based ID and finds out why, for now at least, it’s here to stay
  • RSA offers to replace compromised SecureID tokens
    Two and half months after the company admitted to a data security breach of its SecureID database, RSA is offering to replace SecureID tokens of certain customers, including big-name defense firm Lockheed Martin.

Top 5 Stories

Feature

Token Debate: Worthless, Worthless

30 August 2012
Richard Hollis, ISACA

This sums up the opinion of ISACA’s Richard Hollis when it comes to the value of token-based authentication

In my opinion, the answer to the question of whether tokens are more secure and worth the expense is, simply, no. Tokens may have addressed the problems we faced a decade ago, but not the ones we are encountering today. Token authentication provides little more than the appearance of security. The definition is clear:

Token –
Noun: A thing serving as a visible or tangible representation of something abstract.
Adj: Done for the sake of appearances or as a symbolic gesture.

The nominal value of tokens may have been worthwhile 10 or 15 years ago, but today, it is worthless. First and foremost, hardware tokens are based on shared secrets, and all vendors maintain a copy of those secrets for their recovery and licensing purposes. So, the security foundation of token authentication is established and maintained solely by the vendor.

The reality is that tokens are only as secure as the vendors that provide them. Let’s face it, these secrets sit in system servers and databases running the same applications that we are struggling to secure daily. Vendor systems are no different from any other. Believing that vendors are more secure than the businesses they sell their goods to is a big mistake. This was clearly illustrated by last year’s RSA breach. Following that compromise, EMC² – RSA’s parent company – spent more than $66 million to investigate and ‘harden’ their systems.

Our industry has always been product-led, and the message it feeds our market is that we need some kind of technology ‘thing’ to be secure (e.g., a firewall, an intrusion detection system, a token). We are led to believe by many that real security can only be found in a kit, even though time and time again, this has proven false.

Software tokens based on shared secrets face the same risk. Software tokens based on asymmetric encryption with keys generated locally are not infallible – they are extremely vulnerable to malware attacks.

Malware today is omnipresent. Given that malware often trumps software, this type of authentication method provides no real security. Needless to say, if you have malware on your encryption server, then you have bigger problems at hand, and authentication is probably the least of your worries. The power and creativity of today’s malware threat dwarfs any software token’s value in reducing real risk to the enterprise.

"The reality is that tokens are only as secure as the vendors that provide them"

Simply put, tokenization doesn’t meet today’s threats. It doesn’t secure online financial transactions, prevent identity theft, or defend against phishing. Today’s threats include fake banking websites (man-in-the-middle attacks), where a user is taken to a fraudulent site, enters their password and token values, and the receiving fraudster uses this information to simultaneously access the bank’s real website. Attackers then relay the information until they get access and disconnect the user. If not, installation of a simple Trojan allows an attacker to piggyback a user’s session with their banking site to get this same access.

Recent headlines include the news that more than $128 million (£78m) was siphoned from accounts at 60 financial institutions across Europe, allegedly by Russian organized gang members. The attackers used a combination of off-the-shelf and customized malware to simulate the customers’ token authentication on the banks’ servers, thereby gaining access to the accounts and transferring money to pre-paid debit cards or other accounts. Not only did the attackers bypass the token security, they got around network security monitoring tools on the bank’s network by enabling the transfers directly from the server side of the bank accounts.

Let’s face it: tokens are not up to today’s security challenges. Serious security threats come to us in disguise. Fraudsters use an ever-changing arsenal of tools to impersonate people, technology and devices to defeat security defenses. Tokens are just another area left open to fraud. In a simple side-by-side comparison, non-token authentication is far more efficient, cost effective and robust than tokenization.


Richard Hollis serves on the ISACA Government and Regulatory Advocacy (GRA) Subcommittee, promoting best security practices and information security guidance globally. Hollis is also the CEO of Orthus Information Risk Management, a European consulting firm. He previously served as director of security for Phillips, Paris.

This article is featured in:
Data Loss  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comments

Shift4SMS says:

12 September 2012
While I agree with your argument that tokens in and of themselves are useless against certain forms of attack, I totally disagree with your conclusion that they are worthless. True security is made of multiple layers and no one layer can make for a 100% secure system -- short of the power switch, and I imagine some would argue that even that is not 100% secure. In fact, even using multiple layers, nothing can be made 100% secure.

While your argument is accurate, your conclusion that this layer or control is worthless can be said for each and every layer of security. Should we conclude every layer is useless? Let's apply the conclusion to other layers:

• A firewall in and of itself will not prevent cross-site scripting or SQL injection, so firewalls are worthless
• SSL encryption in and of itself is susceptible to man-in-the-middle attacks, so SSL is useless
• User passwords (ignoring tokens) can be shared or written on post-it notes and thus compromised, so all passwords are a waste of time
• Encryption keys can be compromised by various means, so encryption is useless (this point you mentioned, but in the context of tokens’ shared secret)
• Etc., etc., etc.

Which leads to the final conclusion, security is a waste of time, effort, and money. This conclusion I completely disagree with.

Also you started with the premise "Tokens may have addressed the problems we faced a decade ago, but not the ones we are encountering today" and you argue that this control has no value. While I argue that there is benefit in tokens, let's assume for a moment that you are right and they have no value. Once this control is out of the mix, what's to stop the decade old problem from returning? After all, many times "security" and "fashion" seem to parallel. Everything old can become new again; what's out-of-style today will be back in-style tomorrow.

Lastly, and what caught my eye, you specifically mentioned "tokenization". I have never heard tokenization used in the context of hardware- or software-based authentication-related tokens. Tokenization, at least the current industry jargon, is usually applied to PCI, where a token substitutes as payment card data, and sometimes PII, where a token represents one or more pieces of personal information like a social security number. The reason I know this is that Shift4 invented the term back in 2005 (see http://www.shift4.com/pr_20051005.cfm, http://paymenttidbits.blogspot.com/2006/06/better-mousetrap-tokenization-part-1.html, http://paymenttidbits.blogspot.com/2006/06/better-mousetrap-tokenization-part-2.html). While PCI's definition of tokenization does introduce the shared secret vulnerabilities you mention, TrueTokenization does not, as there is no shared secret and the tokens are truly random (see http://www.shift4.com/blog/post.cfm/tokenization-the-newest-horse-err-camel-in-the-stable).

Winfrasoft says:

06 September 2012
Richard makes some good and valid points. The banking attacks he refers to (a.k.a. Operation High Roller) is clear proof that the current 2FA implementation model no longer serves the purpose it was intended to do. When the likes of RSA can even be compromised is should be assumed that vendor storage of shared secrets is no longer a viable mechanism either. In this case, yes, the token is only as secure as the vendor. Malware is an issue, it is here to stay and it is wild on all platforms - yes even you with that iPad!

The other problem with the traditional token is that it doesn't actually prove you are who you say you are. All it proves is that somebody in possession of the token has the ability to read some digits off the screen and type them into a keyboard, again, not serving the purpose it was originally intended to do.

While all these points are perfectly valid, not all strong authentication systems are designed and built the same, and as such should not be tarred with the same brush. The "token" failed so spectacularly because everybody was doing the same thing as it was considered to be a "safe" option - i.e. get RSA or the closest lower cost copy. Nobody thought outside the proverbial box. But what if the banks used a strong authentication system where only the intended user could utilise the "token" and in a way which could not be emulated somebody else? Plus the vendor didn't retain any seed information at all. If the system then also had the ability to link the users identity to an action, say authorising a payment, suddenly most of the issues with traditional tokens simply go away. Basically bringing the original intended purpose of the "token" into the 21st century.

One such solution is Winfrasoft PINgrid. PINgrid is able to combine something you know with something you have, as well as something you are doing together to produce a one-time code. Furthermore the elements cannot be separated out to be gleaned by spyware or a man-in-the-middle. The key elements are a memorised pattern (which is never entered onto a device anywhere so can't be captured), and a free app store based smartphone app making it readily available.

Winfrasoft says:

06 September 2012
Richard makes some good and valid points. The banking attacks he refers to (a.k.a. Operation High Roller) is clear proof that the current 2FA implementation model no longer serves the purpose it was intended to do. When the likes of RSA can even be compromised is should be assumed that vendor storage of shared secrets is no longer a viable mechanism either. In this case, yes, the token is only as secure as the vendor. Malware is an issue, it is here to stay and it is wild on all platforms - yes even you with that iPad!

The other problem with the traditional token is that it doesn't actually prove you are who you say you are. All it proves is that somebody in possession of the token has the ability to read some digits off the screen and type them into a keyboard, again, not serving the purpose it was originally intended to do.

While all these points are perfectly valid, not all strong authentication systems are designed and built the same, and as such should not be tarred with the same brush. The "token" failed so spectacularly because everybody was doing the same thing as it was considered to be a "safe" option - i.e. get RSA or the closest lower cost copy. Nobody thought outside the proverbial box. But what if the banks used a strong authentication system where only the intended user could utilise the "token" and in a way which could not be emulated somebody else? Plus the vendor didn't retain any seed information at all. If the system then also had the ability to link the users identity to an action, say authorising a payment, suddenly most of the issues with traditional tokens simply go away. Basically bringing the original intended purpose of the "token" into the 21st century.

One such solution is Winfrasoft PINgrid. PINgrid is able to combine something you know with something you have, as well as something you are doing together to produce a one-time code. Furthermore the elements cannot be separated out to be gleaned by spyware or a man-in-the-middle. The key elements are a memorised pattern (which is never entered onto a device anywhere so can't be captured), and a free app store based smartphone app making it readily available.

brian-basgen says:

04 September 2012
This article makes a good point regarding the vulnerability of shared secrets, but there is a structural problem to this argument raised when malware is discussed. This portion of the argument is focused on downplaying the role and importance of authentication in general for meeting "today's threats". This then leads to a conclusion that is further disconnected from the argument, referring to a "side-by-side" comparison which wasn't seriously discussed.

While vendor shared secrets are a valid vulnerability, the prevalence of malware does not negate the importance of strong authentication methods. A side-by-side comparison of the two would in fact be useful, and here you would find a more nuanced view where tokens present some challenges, but certainly provide some benefits such as improving password strength for regular end-users.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×