Banks change minds on keyfob changeover
The approach that a number of major Australian companies and government departments are taking to RSA's revelation that the integrity of its widely used SecurID two-factor authentication system had been compromised is changing quickly, as major banks and other organisations discuss the matter with the security vendor and their customers.The SecurID platform sees small devices commonly known as 'keyfobs' distributed to staff and customers of major organisations, who then use the randomised codes which they create to authenticate their credentials when they log in to sensitive systems such as internet banking platforms or government systems which hold vast swathes of data about citizens.The technology is used by a number of major Australian household names including the Commonwealth Bank, Westpac, ANZ, the Australian Taxation Office, the Department of Defence and Telstra, to name a few.RSA executive chairman Art Coviello disclosed in mid-March a hack attack had taken place against on the SecurID platform, and the news hit headlines again this week as it was revealed that an attacker had tried to gain access to sensitive information at defence contractor Lockheed Martin through the compromised technology. In the wake of the issues, RSA has offered to replace all of the keyfob devices internationally, and has been discussing the issue with customers in Australia. However, not all have taken up the company's offer.A Westpac spokesperson early yesterday said the bank would not reissue the RSA tokens to customers, noting that the devices were just one part of its overall security approach and stating that the security of online banking for customers had not been compromised through the recent issues. This was consistent with responses to other media inquiries this week.However, just hours later — and after the revelation (by IT news service ZDNet) that rival ANZ would replace some 50,000 of the keyfobs, Westpac changed its tune, issuing a statement yesterday afternoon to the effect that it would in fact replace its tokens.A spokesperson for the bank said only a small number of customers had raised the issue — but it was enough to change the bank's stance.Earlier today, a spokesperson for ANZ Bank confirmed a report by ZDNet that the bank had taken the reverse approach to its rivals — and had decided to re-issue new RSA tokens to all customers and staff who currently had them — about 50,000 people. ANZ said there will be no expense for ANZ customers as a result of this decision to replace the tokens.The ATO will also replace its tokens.Commonwealth Bank today said it would not replace the tokens it has issued to staff (it does not issue the tokens to customers). The situation remains a little more unclear with Telstra; with the telco not confirming whether it would replace its tokens. In addition, not everyone agrees that changing the keyfobs over would actually resolve the security situation for RSA customers.Paul Ducklin, the head of technology for the Australian division of RSA rival Sophos, slammed RSA for not properly disclosing what the actual security break-in