RSA to replace all SecurID tokens - or perhaps not

Filed Under: Data loss, Featured, Malware, Privacy, Vulnerability

SecurID tokenThe internet is abuzz with news that beleaguered security company RSA, which suffered a security intrusion and theft of trade secrets back in March, is offering to replace its customers' security tokens.

Security tokens are used in two-factor authentication to add additional strength to conventional password-based logins.

The simplest sort of token generates and displays a sequence of pseudo-random numbers, with a new number appearing every minute or so. You enter this ever-changing number as well as, or instead of, your regular password.

The theory behind time-based token authentication is that only your authentication server and the token itself can reproduce the pseudo-random stream. So, if you don't have possession of the token, you'll never know the password-of-the-minute.

And if a crook should shoulder-surf or keylog your current token number, it'll be worthless next time. That should make you much more secure than relying on a password you use over and over again.

But one concern over RSA's security breach was that some of the trade secrets stolen might allow cybercrooks to work out a token's pseudo-random number sequence. Of course, this would destroy the very foundations of RSA token security.

RSA didn't do itself many favours when it first commented on the breach, playing its cards rather close to its chest and not saying much more about the ongoing security of its tokens than:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

F-22 Raptor jet fighterSadly, RSA's confidence may have been misplaced, with recent attacks on US defence contractors linked with the compromise of RSA token security.

Under this sort of pressure - and perhaps still reluctant to give away too many technical details for fear of making a bad thing worse - RSA has just announced a free replacement plan for users of its tokens.

That's going to be a big job. But is it going to be quite as big as PC World suggests when it says that RSA "will replace [SecurID] tokens for any customer that asks"?

RSA's open letter on the subject isn't quite as clear-cut.

It looks as though RSA will only replace your tokens for free if you are a customer:

"with concentrated user bases typically focused on protecting intellectual property and corporate networks."

Open letter from RSAThose sound rather like weasel-words to me. What is a "concentrated user base"? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?

What if you're a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user base concentrated enough? Are you protecting intellectual property, or just casual chatter?

And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don't have the same flaws as the old ones?

What do you think? Take part in our poll - and be thankful you're not working in one of RSA's call centres or help desks right now!

, , , ,

You might like

5 Responses to RSA to replace all SecurID tokens - or perhaps not

  1. Gareth Baker · 1542 days ago

    No doubt the US Government has forced them (RSA) to Fess up on this after the three defence contractors were breached and no doubt they should have already replaced tokens as long as they have a fix in place that prevents compromise. But what does this say for the defence contractors security? their ACE policies should have been beefed up after the compromise to include a complex PIN with a lock out policy of 4 or less attempts to prevent most access attempts. And then there should be adequate protection behind this to secure significant IP. Or are all these companies as weak as each other? Or has the PIN become a defunct requirement and no one is actually saying this out loud?

  2. I think RSA's correct action would be to provide resources to customers to help them confiigure their authentication mechanisms appropriately to minimize the risk associated with any trade secret compromise.

    I agree with Gareth that a solid PIN policy and lock out policy should be enough in most cases. Beyond this, I see the issue with tokens being that the list associating customers with token serial numbers has been leaked, and possibly RSA has used the serial number in the algorithm used to generate the pseudo-random numbers.

    If RSA re-issues tokens, these stolen lists will be useless -- all RSA has to do is exchange tokens between customers to increase security (until the next data breach).

    However, one issue I see in all this is that any customer using a SMALL number of tokens is at most risk, as it is easier to tie the token's serial number to a username, there being fewer usernames in play.

    • Paul Ducklin · 1541 days ago

      The PIN (a secret code you type in along with the "magic number" off your token) does add some safety. In particular, it prevents someone who steals your token from blindly using it to impersonate you.

      But your PIN is the same every time you login, so it provides no greater security than your regular password. Yet the comparative insecurity of multi-use passwords - e.g. that they can easily be shoulder-surfed, keylogged, phished or guessed - is one of the main reasons for going to token-augmented login in the first place.

      That's why I've always preferred the concept of challenge-response tokens to the simple time-based ones - the token has both a keypad and a display. You enter a PIN _on the token itself_ to unlock the token, and a challenge code presented by the login program. Then the token generates the "magic number" for that login.

      This sort of device has the advantage you never enter the PIN on your regular computer or laptop. So you can be shoulder-surfed, but you cannot (easily) be keylogged or phished.

  3. Richard Olearczyk · 1541 days ago

    I'm still waiting for my Bank (WestPac in Australia) to even acknowledge that there is a problem with the RSA tokens they use to secure their business customers accounts. Whilst RSA has obviously briefed them, WestPac's has a "head in the sand" attitude ignoring that there may be a problem for their customers. If a PC was compromised and passwords obtained, the RSA token was the only thing providing security - who will now take liability should a bank account now be emptied?

  4. guest · 1541 days ago

    Those are some smart hackers, what is intriguing is that you would think there would be some difference in the token, if i were RSA I would change the algorithm to be letters because adding numbers will cause massive failures in vpn access. my company only allows 6 characters in that vpn field.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog