Banks Begin To Use RSA Keys

jnguy writes "According to the New York Times (free bacon required), banks are begining to look into using RSA keys for security. AOL has already begun offering its customers RSA keys at a premium price. Is this the future of security, and is it secure enough? How long before everyone needs to carry around 5 different RSA keys just to perform daily task?"

Heh? This is old news

[zxSpectrum]

I'm rather surprised: Several Norwegian banks have been using these RSA Hardware Tokens for a couple of years.

Article not about "RSA Keys" -- Hardware tokens

[Steven+Reddie]

The article is really talking about using hardware tokens for extra security since the private data is stored on an external token and can't be stolen by viruses, trojans, or phishing scams. I don't even see RSA mentioned in the article -- there is an inset picture of an RSA SecurID but that's as close as it gets.

Re:Article not about "RSA Keys" -- Hardware tokens

[HotNeedleOfInquiry]

Wells Fargo issues the RSA SecurID devices for security. Not a test, not a trial, My wife and I each have one.

This is news?

[Nehle]

My bank (SEB, www.seb.se) has been using a hardware token system for years. I click the sign in button, enter my birthdate, receive two four-digit numbers, start the little device, enter my password and the two numbers and get a six-digit number that I enter in the login page and then I get logged in.
Is this somehow different?

Oh, and by the way, works like a charm and I feel a lot more secure than I do with static passwords

This is new?

[wfberg]

I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).

In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).

Most devices are from Vasco who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.

Re:Banks are the problem

[Obiwan+Kenobi]

I call FUD. I've worked in banks (and credit unions) as a network admin for over six years, and that is some bullshit.

Now, understand that banks will use your information any way they can in-house, manipulate numbers and deposit totals and anything else analytical so they can sell a credit card or a loan (its called cross-selling). But what they cannot do is give your information to other 3rd parties without your direct consent unless its under federal mandate and/or decree (read: court order and/or the Patriot act).

Now this is all fine and good, but when you do something substantial with your money and/or your financial outlook (say, investing or buying a home), you open up yourself to offers from 3rd parties. You sign a document saying so.

Now the easiest thing is, before you sign something, ask them which companies are going to be behind this new venture. Whether it be an investing house (a lot of banks will farm out investing to a subsidiary and get kickbacks on it) or mortgages (who owns this loan? Can they sell it to a 3rd party mortgage company at a later date?), you need to simply be aware.

Feel free to google "Bank Privacy" and read up on the hometown banks and the big boys: They all pretty much say the same thing. If they are under FDIC (for banks) or NCUA (for credit unions), they all fall under the same guidelines: Your information cannot be shared unless you say so. The federal privacy statements which are mandatory to be handed out upon opening an account, etc, say the same thing.

Offshore data management services is simply a scarier way of saying Disaster Recovery. You want your bank to keep running even if the home office (or data center) explodes, right? Then don't start bitching about them backing up data in different places.

SEB uses VASCO SecureID tokens

[hanssprudel]

Since this is already being moderated up, I want to note that poster is wrong.

The system that the grandparent describes is based on VASCO "Digipass" devices, that work just like the RSA secureid tokens, only that they also support PINs and challenge/response authentication. That means that if everything is done correctly (which I can't swear to) these tokens, which SEB have been using for more than five years, are considerably more secure than the normal RSA SecureID.

Basically (very simplified) your normal SecureID will create a checksum from a secret and the current time, so the server can verify that person logging in is holding the token at this time. The Digipass, on the other hand, creates a checksum of the secret, the time, and the challenge from the server. This verifies that the person logging in has access to the token at this time, and created a checksum for this particular log in. And the fact that it also requires a personalized PIN to access the device means that stealing it will do you little good.

Re:Banks are the problem

[jasonditz]

The bank I used to use actually said the exact opposite: They can share with anybody unless you specifically tell them not to.

The thing is, every 3 months or so they send a new copy of the (slightly modified) privacy agreement and if you don't send them another letter saying don't share my info, they consider it acceptance of the 'new' policy.