About the PassMark Security Acquisition

Recent articles have been discussing how sophisticated Keyloggers have become and are more than ever tied in with organized crime. Examples of the level of sophistication included the capability of keylogging programs designed to take screen snap shots, such as your login page, and to automatically sort through tons of information quickly to enhance gaining access into online accounts, such as answers to secret questions asked by the banks for account verification.

SiteKey used by BofA, as you know assigns a login picture that only you and the bank know. Therefore, when you receive an e-mail from BofA with your picture, you can rest assured that this e-mail was from BofA. If a Keylogger takes a snap shot of your login page and now has your secret picture, a Hacker only needs to send you an e-mail using that picture to request whatever information they want (Account #'s or Credit Card #'s for example) and users will provide them answers because they believe the e-mail was sent by BofA. So SiteKey security, which is defenseless against Keylogging is also basically useless now against sophisticated Phishing attacks.

So why would RSA turn around and acquire PassMark Security, who developed SiteKey with BofA?

Now RSA is going to offer a useless security system to millions of consumers who trust the name RSA Security and professional Hackers are going to have a field day ripping off innocent people.

The short answer to this question is absolutely not. Today's online environment amounts to a very dynamic arms race: the fraudsters develop tools against anti-fraud measures, and we need to stay one step ahead all the time. That's why RSA does not believe in a single point of security, but rather a layered approach. Even if one layer is breached--which may happen--there are other layers, some hidden, that will prevent actual fraud from occurring. The combination of a visible security mechanism such as Bank of America's Site Key (powered by PassMark) and transparent security mechanism such as RSA Security’s Risk-based Authentication allows banks to bolster both customer security and confidence in the online channel.

Layered Security is good but use your Token with SiteKey. Your Risk-based Authentication solution and SiteKey working together may not help BofA as much. Cyota's software performs a Challenge/Response only if it determines that the risk is high from someone accessing your account.

Intrusion software can enter via e-mail, etc, therefore slipping under its radar and planting a Keylogger on your PC. Now only Hardware will prevent it from accessing your account. This is why I've promoted Hardware solutions which is all BofA really needed in the first place.

Some major Credit Card companies will not accept software security solutions because they know software only solutions are vulnerable to being hacked. Microsoft is experiencing this everyday.

Now, if a Token costs too much then you're stuck in a higher risk situation by having to use only software. Financial Institutions deserve the best possible protection to offer all their online banking members, which should include some form of Hardware at a minimum. I believe this is the best way to provide even layered security.

Man in the Middle is a possibility but highly unlikely. The last time I spoke to your RSA security folks, they had never seen it used and neither have I. If proper channels are used to transmit your accessing data, then this type of attack can also be eliminated. Best, Mike

What about Bharosa's Solution? Why didn't RSA purchase Bharosa instead? Tracker and Authenticator?