Token Debate: Worthless, Worthless

"Tokens are not up to today’s security challenges", says ISACA's Richard Hollis
"Tokens are not up to today’s security challenges", says ISACA's Richard Hollis

In my opinion, the answer to the question of whether tokens are more secure and worth the expense is, simply, no. Tokens may have addressed the problems we faced a decade ago, but not the ones we are encountering today. Token authentication provides little more than the appearance of security. The definition is clear:

Token –
Noun: A thing serving as a visible or tangible representation of something abstract.
Adj: Done for the sake of appearances or as a symbolic gesture.

The nominal value of tokens may have been worthwhile 10 or 15 years ago, but today, it is worthless. First and foremost, hardware tokens are based on shared secrets, and all vendors maintain a copy of those secrets for their recovery and licensing purposes. So, the security foundation of token authentication is established and maintained solely by the vendor.

The reality is that tokens are only as secure as the vendors that provide them. Let’s face it, these secrets sit in system servers and databases running the same applications that we are struggling to secure daily. Vendor systems are no different from any other. Believing that vendors are more secure than the businesses they sell their goods to is a big mistake. This was clearly illustrated by last year’s RSA breach. Following that compromise, EMC² – RSA’s parent company – spent more than $66 million to investigate and ‘harden’ their systems.

Our industry has always been product-led, and the message it feeds our market is that we need some kind of technology ‘thing’ to be secure (e.g., a firewall, an intrusion detection system, a token). We are led to believe by many that real security can only be found in a kit, even though time and time again, this has proven false.

Software tokens based on shared secrets face the same risk. Software tokens based on asymmetric encryption with keys generated locally are not infallible – they are extremely vulnerable to malware attacks.

Malware today is omnipresent. Given that malware often trumps software, this type of authentication method provides no real security. Needless to say, if you have malware on your encryption server, then you have bigger problems at hand, and authentication is probably the least of your worries. The power and creativity of today’s malware threat dwarfs any software token’s value in reducing real risk to the enterprise.

"The reality is that tokens are only as secure as the vendors that provide them"

Simply put, tokenization doesn’t meet today’s threats. It doesn’t secure online financial transactions, prevent identity theft, or defend against phishing. Today’s threats include fake banking websites (man-in-the-middle attacks), where a user is taken to a fraudulent site, enters their password and token values, and the receiving fraudster uses this information to simultaneously access the bank’s real website. Attackers then relay the information until they get access and disconnect the user. If not, installation of a simple Trojan allows an attacker to piggyback a user’s session with their banking site to get this same access.

Recent headlines include the news that more than $128 million (£78m) was siphoned from accounts at 60 financial institutions across Europe, allegedly by Russian organized gang members. The attackers used a combination of off-the-shelf and customized malware to simulate the customers’ token authentication on the banks’ servers, thereby gaining access to the accounts and transferring money to pre-paid debit cards or other accounts. Not only did the attackers bypass the token security, they got around network security monitoring tools on the bank’s network by enabling the transfers directly from the server side of the bank accounts.

Let’s face it: tokens are not up to today’s security challenges. Serious security threats come to us in disguise. Fraudsters use an ever-changing arsenal of tools to impersonate people, technology and devices to defeat security defenses. Tokens are just another area left open to fraud. In a simple side-by-side comparison, non-token authentication is far more efficient, cost effective and robust than tokenization.

Richard Hollis serves on the ISACA Government and Regulatory Advocacy (GRA) Subcommittee, promoting best security practices and information security guidance globally. Hollis is also the CEO of Orthus Information Risk Management, a European consulting firm. He previously served as director of security for Phillips, Paris.

What’s hot on Infosecurity Magazine?