Jun 07
RSA to replace SecurID tokens
…
Against this backdrop of increasingly frequent attacks, on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted.
…
As a result, we are expanding our security remediation program to reinforce customers’ trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
…»
Open Letter to RSA SecurID Customers.
Via arstechnica.
septiembre 17th, 2012 at 2:05 pm
The PIN (a secret code you type in along with the «magic nmbuer» off your token) does add some safety. In particular, it prevents someone who steals your token from blindly using it to impersonate you. But your PIN is the same every time you login, so it provides no greater security than your regular password. Yet the comparative insecurity of multi-use passwords – e.g. that they can easily be shoulder-surfed, keylogged, phished or guessed – is one of the main reasons for going to token-augmented login in the first place. That’s why I’ve always preferred the concept of challenge-response tokens to the simple time-based ones – the token has both a keypad and a display. You enter a PIN _on the token itself_ to unlock the token, and a challenge code presented by the login program. Then the token generates the «magic nmbuer» for that login. This sort of device has the advantage you never enter the PIN on your regular computer or laptop. So you can be shoulder-surfed, but you cannot (easily) be keylogged or phished.
septiembre 17th, 2012 at 2:14 pm
I think RSA’s correct aotcin would be to provide resources to customers to help them confiigure their authentication mechanisms appropriately to minimize the risk associated with any trade secret compromise. I agree with Gareth that a solid PIN policy and lock out policy should be enough in most cases. Beyond this, I see the issue with tokens being that the list associating customers with token serial numbers has been leaked, and possibly RSA has used the serial number in the algorithm used to generate the pseudo-random numbers. If RSA re-issues tokens, these stolen lists will be useless — all RSA has to do is exchange tokens between customers to increase security (until the next data breach). However, one issue I see in all this is that any customer using a SMALL number of tokens is at most risk, as it is easier to tie the token’s serial number to a username, there being fewer usernames in play.