Hackers tackle secure ID tokens

SecurID token, RSA The SecurID tokens are widely used to grant access to sensitive information

Related Stories

Hackers have stolen data about the security tokens used by millions of people to protect access to bank accounts and corporate networks.

RSA Security told customers about the "extremely sophisticated cyber attack" in an open letter posted online.

The company is providing "immediate remediation" advice to customers to limit the impact of the theft

It also recommended customers take steps, such as hardening password policies, to help protect themselves.

Proof positive

In the open letter, written by RSA boss Art Coviello, the company said that the data stolen would not help a "direct" attack on the the SecurID tokens.

It did not disclose exactly what had been purloined and only said that the information "specifically related to RSA's SecurID two-factor authentication products".

RSA's SecurID tokens are used by millions of people alongside passwords to beef up security.

As its name suggests, two-factor authentication involves improving security using two methods of identifying a user. The first factor is usually the traditional login ID and password combination.

The second factor can be a SecurID token that is paired with back-end software that generates a new six digit number every minute.

A token paired with this software generates the same numbers so only the holder will be able to type in the right digits and get access.

RSA said the information stolen could reduce the effectiveness of this two-factor authentication system if a company came under a broader attack by malicious hackers.

This could potentially put a lot of people at risk as RSA claims to have millions of people using its security technology to secure online accounts and access to corporate systems.

RSA recommended that firms monitor social network sites to spot if hackers were trying to capitalise on what they now know about RSA's systems.

This could be because hackers have got information about who has which token and might try to exploit that to trick employees into giving them access.

RSA also recommended reminding users about the dangers of responding to suspicious e-mails, to limit who can access critical infrastructure systems and to reinforce all policies surrounding SecurID token use.

There could be "tremendous repercussions" if criminals piggy-backed on what they know to stealthily get at corporate and other critical systems, said Richard Stiennon, chief research analyst at security firm IT-Harvest.

"You'd never have a sign that you've been breached," he said.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories


Features & Analysis

  • Cartoon of women chatting on the metroChat wagon

    The interesting things you hear in a women-only carriage

  • Replica of a cargo boxSpecial delivery

    The man who posted himself to the other side of the world

  • Music scoreFinal score Watch

    Goodbye to NYC's last classical sheet music shop

  • Former Secretary of State Hillary Rodham Clinton checks her Blackberry from a desk inside a C-17 military plane upon her departure from Malta, in the Mediterranean Sea, bound for Tripoli, Libya'Emailgate'

    Hillary gets a taste of scrutiny that lies ahead

Elsewhere on the BBC

  • Audi R8Best in show

    BBC Autos takes a look at 10 of the most eye-catching new cars at the 2015 Geneva motor show


  • A cyborg cockroachClick Watch

    The cyborg cockroach – why has a computer been attached to this insect’s nervous system?

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.