RSA replaces SecurID tokens after hack
The theft of information pertaining to the security of RSA's SecurID two-factor authentication system has had greater consequences than the company initially wanted to admit. Nearly 3 months after the attack, RSA has begun replacing some of the 40 million hardware tokens, as announced by RSA chairman Arthur W. Coviello in an open letter. Customers who are worried about the security of the tokens will have to request replacement tokens.
Shortly after the attack, RSA warned that the break-ins could affect the system's security but could not be used for a direct attack. When contacted by The H's associates at heise Security, RSA did not wish to say exactly what data had been stolen. Coviello has now told ars technica that RSA did not wish to admit the full extent of the disaster at the time lest they reveal to the hackers what could be done with the stolen data.
The shipment of new tokens suggests that all of the seeds and algorithms needed to calculate one-time passwords (OTPs) were stolen in the attack. The new tokens most probably simply have seeds that the criminals don't have.
Coviello assumes that the criminals intended to steal SecurID data to get access to military secrets. RSA has therefore already replaced tokens used by governmental authorities and armament firms. He also confirmed that the information stolen was used in the attack on US defence technology manufacturer Lockheed Martin.