RSA, a subsidiary of EMC and one of the leading suppliers of cryptographic solutions including SecurID has been hacked. The actual date and time is unclear, but it was around 17 March 2011. An official report from the RSA to the US Securities and Exchange Commission (SEC) can be read here.
At the time of writing this, RSA are being very cagey about their communication into the public domain. Some commentators fear the issue is worse than RSA are letting on. Information released so far from RSA confirms there was an issue, but then lists the basic security safeguards that clients should have in place anyway. This is leading people to speculate that sensitive information has been stolen – if that is the case, it can weaken the effectiveness of the SecurID token.
Background
- Typically, Internet based systems such as Internet banking use RSA’s SecurID as one of several layers of security.
- With SecurID, the client/user has their own (personal) PIN that they use in conjunction with the auto-generated number on the SecurID token.
- If, as some are speculating, SecurID token serial numbers and seeds have been stolen, it would mean that a hacker could potentially simulate a client’s SecurID token without having the physical token in their possession. Therefore the hacker would only need to obtain the user’s PIN in order to gain access.
- RSA have an estimated 40 million SecurID customers.
What should you do now?
- Firstly, don’t panic.
- If a client/user of a SecurID device calls and wants their token PIN reset, make sure you can positively identify them.
- Keep a log of all calls and PIN changes.
- Make sure there is a written procedure in place that describes how you positively identify someone and how you reset their PIN.
- Make sure that all staff follow the procedure !
- Monitor your network and your SecurID infrastructure. Look for unusual patterns in usage and traffic.
- Monitor your SecurID infrastructure and produce reports to show failed authorisation attempts, SecurID token lockouts and activity out of usual hours.
- Ensure your client/user records and SecurID records are kept secure.
- Ensure you don’t send SecurID token to clients/users in an active state.
- Do not use the SecurID feature to allow a PIN to be auto-reset after a number of failed attempts.
Positively identifying someone on the telephone
- Call the client/user back on a pre-agreed telephone number.
- Set-up specific secret phrases or key challenge/responses between you (the provider) and your client/user. This could be set questions/answers or questions about recent account activity.
- Do not accept an email request – emails are very easily spoofed to look as if they have been sent from someone else.
- Do not rely on the sound of the callers voice.
What do I do if my SecurID service is provided for me?
- Firstly, ask your provider why they haven’t already advised you of the potential risk to your business !
- Ask them what monitoring they are performing on SecurID usage and unusual activity. Ask for copies of these reports so that you can evidence them.
- Ask your supplier to keep you informed of any developments.
What should I tell my client/user
- Remind them of the importance of not divulging their PIN.
- Supply written instructions of what to do if they lose their SecurdID token and/or PIN.
- Remind them of the importance of not divulging personal information on social media sites such as Facebook.
- Reassure them that your systems have not been compromised and that their data is safe.
Resources for CIO and COO Professionals
Remember to bookmark the following ….
- CIOCOO.com
- add CIOCOO.com/feed/rss/ to your RSS feed
- and follow twitter.com/timbullock/ on Twitter
For more information, contact 
For copyright details, refer to http://ciocoo.com/legal/copyright/
For terms of use, refer to http://ciocoo.com/legal/terms-of-use/
© Copyright Tim Bullock 2010
