Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

RSA clients gagged on hacks

Julian Bajkowski | April 8, 2011
A senior executive of RSA Security, has admitted it has required corporate customers to sign non-disclosure agreements to receive technical advice on how to plug possible new security holes arising from a hacking raid on the company.

The move by the world's biggest maker of computer pass-code fobs to impose the code of silence about the nature of the technical fixes has angered sections of the banking community.

Banks face the prospect of footing the bill to fix security systems that rely on RSA's devices, after the company fell victim to a highly sophisticated cyber attack that resulted in sensitive data being stolen.

In an interview with The Australian Financial Review, RSA's head of new technologies and consumer identity protection, Uri Rivner, and a company spokeswoman confirmed the company was attempting to stop customers from talking publicly.
But they claimed the measure was necessary to keep clients and their customers safe and help catch the perpetrators of the attack against the company.

"Customers get very clear guidelines, which are not made public," Mr Rivner said. "I understand the frustration of not being able to get full information from a public perspective."

RSA's security breach is a particular problem for banks as they often charge customers who make higher value online transactions of $30 to $100 per fob for an added security measure, the effectiveness of which is now in doubt.

A big issue banks will now have to manage is how they can continue to charge customers fees for devices that are potentially no longer secure.

Most banks also issue RSA fobs to their staff to give authorised access to internal bank systems that are now likely to need to have their access security mechanisms upgraded and potentially have their fobs replaced.

Bank executives, who spoke on condition they were not identified, described RSA's tactics as akin to corporate blackmail.
It is understood at least two institutions are seeking legal advice on their position with RSA following the disclosure of the security breaches.

A further complicating factor for customers is that RSA has resolutely avoided saying who it believes may have been responsible for hacking into its systems.

So far it has described the penetration only as an "advanced persistent threat," a militaristic term that is sometimes used to characterise foreign intelligence collection attempts.

"I am not in a position to name anyone or say that it was state sponsored or not," Mr Rivner said.

RSA's spokeswoman said the perpetrators were "bad people".

She claimed that one reason for enforcing non-disclosure was that customers who talked among themselves could prejudice investigations into the incident.

"If we have a customer in Australia who rings up their mate in America and says 'this is all the information we have' it could potentially affect the law enforcement investigation," the spokeswoman said.


1  2  Next Page 

Sign up for Computerworld eNewsletters.