RSA has revealed in an open letter to its customers that its servers where compromised last week by an extremely sophisticated cyber attack and as a result certain information was extracted from RSA’s systems.
RSA go on to say that some of the stolen information relates to RSA’s SecurID two-factor authentication products which could potentially be used to reduce the effectiveness of a SecurID.
RSA’s SecurID two-factor authentication mechanism consists of a “token” (either hardware or software) that generates an authentication code at fixed intervals (usually 30 or 60 seconds) using a built-in clock and the card’s unique factory-encoded seed. To authenticate a user needs to enter a PIN and the number generate by the token.
Although unclear, it is supposed that the hackers have managed to get hold of a list of the seeds assigned to various tokens.
SecurityWeek got in contact with Kenneth Weiss, the original inventor of the SecurID: “The SecurID technology I designed and patented has never been breached in 25 years of use. This unfortunate breach of security at RSA speaks to the quality of their internal security not the security of the SecurID token. The possession of 40,000,000 random SecurID seeds is meaningless unless a subset can be associated with a particular one of 30,000 worldwide clients and then intern directly associated with a particular client user. Even if such identification were possible, an attacker would also have to know the particular user’s PIN. This information is not stored on RSA computers.”