NFC: what the RSA security breach should teach every techy

Quite a reaction last week when the news broke about the RSA SecureID breach. Someone may now know how to compromise two-factor tokens.
Technology isn't everything. RSA should tell us that!
Whilst every villain knows how to work around two-factor authentication anyway, the exposure of the underlying algorithm should have been viewed as inevitable. Before I’m castigated for saying this, let me explain…

The inherent weakness in every technology

RSA’s SecureID has secured corporate remote system access for over 15 years. The technology generates one time pass-code to replace passwords.

The pass-code appears on a small token held by the user, allowing login access. But every computer scientist knows such pass-codes are never “one-time”.

All computers work digitally. they perform in steps and sequenced operations. However random the numbers seem, they’ll ultimately repeat by their very nature. Early RSA tokens only generated unique codes for five 5 years before repetition.

The attack and successful breach that exposed the RSA algorithm is not good, but its more a disaster for RSA’s marketing department than its overall security. SecureID merely demonstrates the limiting factor of all security hardware.

And that is any technology can be broken quicker than it can be developed.

What NFC needs to learn from RSA’s experience

NFC places all its security eggs into one tiny basket called the Secure Element. This is the central powerhouse of its security model. Experts say now – as they did with SecureID – its impenetrable and safe.

But they’re ignoring, driven as they are by the marketing rush to be first to market, that there is someone just as clever as them working on breaking NFC.

When that happens, it won’t just be some minor corporate headache for some road-warrior sales guy or travelling exec, it could expose the bank accounts of many affluent bank customers with latest generation NFC-enabled smartphones.

Somebody needs to grab hold of the collars of the techies and hold them back. We need strong back-end systems in place to properly manage the risk.

Because breaking NFC or breaching the design systems is just a matter of time.