Cryptocard speaks out following RSA attack
Resellers should be aware of architectural differences between 2FA vendors in wake of RSA hack, says rival
Cryptocard's unique approach to seed data could help it win channel mindshare following the RSA attack, the two-factor authentication (2FA) vendor has claimed.
Although not confirmed by RSA itself, analysts have widely assumed that last month's attack compromised the seed files that generate the unique passwords in RSA's SecureID tokens.
Cryptocard claims it is the only tier-one 2FA hardware token vendor that gets the customer to seed the tokens, rather than ‘pre-seeding' them itself, making it invulnerable to such an attack.
Cryptocard chief executive Neil Hollister told CRN: "RSA has clearly had a highly complicated attack against it and is doing its best.
"But, assuming it is the seed data that has been compromised, it cannot change the fact that there has been a very significant compromise because of an architectural decision and that is something channel partners and customers are going to have to think about."
As reported by CRN, RSA partners were left fielding calls from concerned end users in the wake of the attack, which was classified as an advanced persistent threat, and Hollister claimed many have had their loyalty tested to breaking point.
"There are an enormous number of very significant RSA partners that are exploring their options right now, and some of them are proceeding," he continued. "We expect to be a very significant beneficiary."
Hollister stressed that RSA had dealt with the crisis with "extreme professionalism".
But he added: "It is very important for us that this is brought to light. For years, RSA has used the fact that it takes our customers time to install the seed into the token as a competitive weapon against us. It is an added overhead, but the payback is greater security."
Clive Longbottom, principal analyst at Quocirca, agreed that some partners are "running around like headless chickens" but cautioned against hubris from rival vendors.
"If I were an RSA partner, I would be working with RSA to ensure I have a solid story for the customer base and not looking to jump to another vendor," he added.
"RSA has a hill to climb to persuade people this was a one-off. But this has shaken the whole security industry and no one can really go around saying that they are 100 per cent secure. People will be wary for a period of time while they work out exactly what the [RSA attack] means," he said.
Kay Bruen, founder of channel consultancy firm Clipsham IT, said RSA's fate rests on how quickly it can apply a fix. "If it can apply a fix that is credible to customers and one they feel is uncrackable for another ten years, then it may get away with it," she said. "But if it doesn't then it's an opportunity for others to profit."