Les Jones

> Kinko's Password Hijacking Case: Why You Need RSA SecurIDs

The recent hijacking of customer passwords at Kinko's in New York City illustrates the need for a security technology that most people have never heard of: RSA Security's SecurID.

(Disclaimer: I work for a network security services and products company, and one of the products on our line card is RSA Security. Another disclaimer: I'm in charge of our online sales and I'm familiar with the product lines, but that does not make me an expert on security.)

Here's what happened in the Kinko's case in a nutshell. A man named Juju Jiang installed keylogging software on rental computers at 14 Kinko's stores. The software - a commercial package called Keylogger - monitors keyboard input and records it to a log file which can be retrieved later to be scanned for usernames and passwords. Using this technique, Jiang captured login information from 450 people, including online banking logins. He plead guilty and awaits sentencing.

How could this have been prevented? In the discussion on Slashdot, someone recommended smart cards. Jester99 responded with sensible reasons why smart cards and biometrics aren't much better than simple passwords. Here's the money quote:

Card, biometrics, passwords... when it comes down to it, they're all just numbers on a wire. And no one of them is any more secure than any other.

Smart cards and biometrics have their uses. An ATM card and a PIN is more secure than a PIN alone, but part of the reason is that the bank controls the computers in that situation.

Juju Jiang installed a keystroke logger on Kinko's rental PCs. General purpose PCs aren't very secure. They have limited controls over software installation, input devices and output devices. Jiang could have installed a sniffer or a replacement hardware driver that logged signals from a fingerprint scanner, smart card, or other hardware token. If the fingerprint scanner was external, he could have replaced it with one of his own that recorded input to a flash memory card.

The key here is something called a replay attack. If I observe you enter your username and password (using a keystroke logger, network sniffer, video camera, or the naked eye) I can replay your authentication data by typing your username and password at a later time on my computer. If I monitor the signals coming from your smart card or fingerprint scanner I can likewise replay those at a later time on my computer, even if it's a bit more difficult. The fundamental problem is that the authentication data is always the same. What you need is a form of time-dependent authentication that has no potential for replay: a passcode with a built-in expiration.

The RSA SecurID

Enter RSA Security's SecurID. SecurIDs have a microchip, a numerical seed value unique to each device, a clock, and a battery. The devices come in several formats, including smart cards and keychain fobs, as well as software versions for Windows, Palm OS, and some Ericsson and Nokia mobile phones.

Every 60 seconds (30 seconds on some models) the device calculates a new passcode, based on the time of day and the seed value. When you log in to the remote office using your username, password, and passcode, an RSA ACE/Server at the remote office looks up your seed value in its database and performs the same calculation, based on the time of day, and verifies that you entered the correct passcode.

Even if I observe you entering the passcode, it does me no good. The passcode expires in 60 seconds (30 seconds on the more secure models), preventing replay attacks.

The downside? None, if cost is no object. The hardware tokens are about $60 per user, and the ACE/Server software runs about $100-$150 per user, depending on the version and the support package. So figure about $200 per user. So far, that price has kept the technology in the domain of the Feds, banks, and large corporations. RSA just introduced a >starter kit for about $3,000 that includes the ACE/Server software, phone support, and key fobs for 25 users, and that may increase their customer base.