RSA offers to replace all SecurID tokens after hack attack

@CNNMoneyTech June 8, 2011: 5:43 PM ET
SecurID hack: RSA Security offers customers new tokens

NEW YORK (CNNMoney) -- The ubiquitous totem of many office workers, the SecurID tokens used to access sensitive corporate systems, are under attack.

RSA Security offered this week to replace or monitor all SecurIDs -- an offer several major customers, including Bank of America (BAC, Fortune 500) and SAP (SAP), immediately accepted.

"We have recommended very careful use of tokens while we are finalizing the details of a full replacement with RSA," said Saswato Das, a rep for SAP. "We have been talking to them for months."

A Bank of America spokeswoman said the company is in the process of replacing SecurIDs for all of its employees and the "small number" of clients who use the tokens.

It's the latest twist in a security-breach saga that started in March, when RSA, a division of EMC Corp. (EMC, Fortune 500), disclosed that hackers had broken into its systems and made off with information about its SecurID products.

At the time, RSA assured customers that the information the hackers got would not allow them to break into customers' systems -- but, disconcertingly, the company said the the information could be used as part of "a broader attack" to "reduce the effectiveness" of RSA's authentication system.

But late last month, defense contractor Lockheed Martin (LMT, Fortune 500) disclosed a "significant and tenacious" cyber attack on its IT systems. RSA said Monday that information obtained from RSA in the March hacking was used in the Lockheed Martin attack.

That prompted RSA's offer to replace all of its customers' SecurID tokens.

"We recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance," the company wrote in a letter posted on its website.

A 'very serious' attack: SecurID tokens use a "two-factor" authentication method, meaning they require two separate, unique bits of secret data for a successful login. In addition to their username, users must enter a password or PIN number that they have memorized, plus the six-digit number currently displayed on their SecurID. The tokens display a new number every 60 seconds.

"This is a very serious hack," said Josh Daymont, principal at Securisea. "It's not known exactly what was compromised, but SecurIDs control a significant portion of access [for corporate America]. It's not just Lockheed that should be concerned."

A Reuters report said the Lockheed attack was carried out with duplicate SecurID tokens. A rep for RSA said Wednesday that is "merely speculation," but she declined to elaborate.

In its letter this week, RSA said the Lockheed attack "does not reflect a new threat or vulnerability" in SecurID. The company also said Lockheed's breach is "the only confirmed use to date of the extracted RSA product information."

That may be cold comfort to RSA's 25,000 global customers who use SecurID, many of whom are big names in corporate America. The company's site revealed that as of 2009, more than 40 million people used SecurID worldwide.

The RSA rep said the company no longer reveals how many people use SecurID.

Daymont, the Securisea expert, said he was concerned that not all of RSA's customers will take the company up on its offer.

"Absolutely everyone needs to have their tokens replaced, no question," Daymont said. "In the long run, the threat is not to RSA -- it's to the SecurID customers. They need to do all they can to minimize the damage." To top of page

CNNMoney Sponsors

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.