[Clips] RSA Security Sees Hope in Online Fraud
R.A. Hettinga
rah at shipwright.com
Tue Aug 23 09:02:00 EDT 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Tue, 23 Aug 2005 09:01:29 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] RSA Security Sees Hope in Online Fraud
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://www.technologyreview.com/articles/05/08/ap/ap_082205.0.asp>
Technology Review
TechnologyReview.com
RSA Security Sees Hope in Online Fraud
By Brian Bergstein August 22, 2005
AP Technology Writer
BEDFORD, Mass. (AP) -- It was a Friday afternoon for the computer
encryption folks at RSA Security Inc., and summertime greenery filled the
countryside view from Art Coviello's office.
Even so, the RSA chief could have been excused if he didn't seem relaxed.
RSA had just announced its second straight set of quarterly results that
didn't dazzle Wall Street analysts, and RSA's stock was flirting with a
52-week low.
But Coviello shrugged it off. Analysts, schmanalysts. More importantly, he
said, lots of factors are about to turn in RSA's favor, namely the need for
more secure, traceable financial transactions in a world beset by online
fraud and identity theft.
"The whole thing's moving a lot more slowly than it ought to," Coviello
said. "We've got to keep pounding and pounding until we reach a tipping
point, and we will take advantage of it."
The lack of an obsession over quarterly results isn't the only unusual
thing about RSA, which still bears the marks of an academic past despite
being a $300 million company with 1,200 employees and customers in
government, banking and health care.
RSA is named for three Massachusetts Institute of Technology professors,
Ron Rivest, Adi Shamir and Len Adelman. Though they are no longer involved
with the company they founded in 1986, their invention of a seminal method
of cryptography set the tone for the company and is crucial in online
commerce.
Today RSA is perhaps best known for staging a prestigious annual security
conference and for selling 20 million little devices that display a
six-digit code computer users must type to gain access to computer
networks. The code, which changes every minute as determined by an
RSA-created algorithm, is unique to each "SecureID" token, making it
useless to a snoop.
The requirement that users enter the code in addition to a password is
known as two-factor authentication, an approach that figures to gain ground
over simple passwords as more and more sensitive data move online.
Indeed, RSA's sales of authentication products jumped 16 percent last year,
as RSA's overall profits more than doubled, to $35 million. E-Trade
Financial Corp. and America Online Inc. began offering SecureID devices to
some customers over the past year. The Associated Press also uses the
tokens for network access.
"It is the Kleenex or Q-Tip of two-factor identification," said Gregg
Moskowitz, an analyst with the Susquehanna Financial Group. "SecureID is
the brand name."
But wide deployment in consumer applications has come slowly.
In theory, every institution that does business on a Web site could
increase its security by offering its users RSA tokens.
But practically, it would be a nightmare to have 20 different devices with
their own codes. And banks apparently don't trust one another enough to
accept a competitor's authentication token.
RSA hopes to smash such hang-ups by acting as an intermediary, launching a
new "hosted" service this fall in which its servers will check whether a
consumer entered the proper token code -- even if the token was made by an
RSA rival -- then relay the "yea" or "nay" back to the bank. RSA already
provides such a service for companies' internal access control, but has yet
to offer it for consumer applications.
Investors will be watching closely. Although Coviello is confident that
wider trends in access control -- such as rampant identity theft and abuse
of Social Security numbers -- should play to RSA's strengths, he
acknowledges that RSA needs to do more to push the market rather than wait
for it.
That means RSA has to be much more than the company known for
authentication tokens -- a product that some analysts say is coming down in
price because of competition. RSA also hopes to expand its sales of
software and security consulting services, where heftier rivals such as
VeriSign Inc. and International Business Machines Corp. also lurk.
"When you consider all the identity theft that is taking place now, the
challenge for RSA is to monetize that," Moskowitz said. "It's easier said
than done."
RSA believes one key differentiator can be its research arm, including the
eight people in "RSA Labs," a group so focused on the advanced mathematics
behind cryptography that it is described as an academic institution within
the company.
RSA researchers are expected to dream up ways to expand the use of
two-factor authentication, though sometimes that puts the company a bit
ahead of the market.
One system being developed would use radio-frequency chips in keyless
office access cards so employees wearing one can automatically access their
secured computers as soon as they near them. Such a system would use a
fingerprint reader on the computer to confirm identity. That product won't
be ready, though, for a year or two.
Then there's an effort, led by labs director Burt Kaliski, to give users a
better way to confirm the legitimacy of Web sites -- and avoid "phishers"
who set up phony sites to lure passwords and account information from the
unsuspecting.
Kaliski envisions a system in which Web browsers or even computer operating
systems act as an intermediary between a user and a site. Through the
principles of encryption, the intermediary software could tell the Web site
that the user entered the proper password without sending the actual
password.
In another realm, RSA has created a "blocker tag" that ensures that
radio-frequency identification chips can be scanned only by designated
readers. It could be an elegant answer to the question of whether RFID
chips, which are designed to streamline corporate inventory systems, might
pose privacy risks for consumers. (The chips also are coming to U.S.
passports, raising fears that American travelers overseas could be
surreptitiously, remotely tracked.)
But for now this and other RFID solutions sit on the shelf, since the
deployment of such tags has been slower than predicted.
"That is the hardest thing for a technology company to do," Coviello said.
"You have to anticipate a market, not get too far ahead of customers, but
you want to be there when they come around."
But he quickly added: "We've been around 20 years, and I think the market
opportunity ahead of us is richer than ever before."
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list