Security firm RSA offers to replace SecurID tokens

SecurID token, RSA The SecurID tokens are widely used to grant access to sensitive information

Related Stories

Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks.

It follows a hack against the company in March where information related to the tokens was stolen.

RSA has now revealed that some of that information was used during the hack attack on defence firm Lockheed Martin.

It is estimated that there are around 40 million SecurID tokens in circulation around the world.

In an open letter to customers, RSA executive chairman Art Coviello confirmed that "information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin".

Lockheed Martin is one of the world's largest suppliers of weapon systems, fighter jets and warships.

Customer trust

Details of both the original RSA breach and that against Lockheed Martin are sketchy but it appears the thieves had a specific target.

"Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related IP, rather than financial gain, personally identifiable information, or public embarrassment," said Mr Coviello.

As a result of the latest findings, RSA will "replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks," Mr Coviello said.

Neither RSA nor Lockheed Martin have said what part the tokens played in the defence giant's security breach.

But experts believe that hackers who broke into RSA collected key information used to generate the tokens, allowing them to create fake ones which could then be used to attempt a breach of secure networks.

Co-founder of security firm SecurEnvoy and former RSA manager Andy Kemshall thinks that is the most likely scenario.

Seed numbers

"The algorithm used by RSA to generate the numbers is available in the public domain so the only thing that stops a hacker from creating numbers is knowledge of what is called the seed record," he said.

Seed numbers provide the root for those generated by individual tokens.

RSA's SecurID tokens are used by millions of people alongside passwords to beef up security. The BBC is among a range of firms to use such tokens to allow staff remote access to its network.

The tokens provide a second layer of security, generating six digit numbers for people to use to log on to bank accounts or corporate networks.

New numbers are generated every minute.

"It appears that somebody was generating six digit numbers in the Lockheed Martin breach and the statistical odds of getting the right numbers is one in 10 million so it seems likely that the hackers had knowledge of the seed records," he added.

But firms considering whether to issue new tokens will have to consider the costs involved, warned Mr Kemshall.

"It is a massive undertaking for organisations such as the BBC and even if you change them there is no guarantee that it won't happen again," he said.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Prostitute in red light district in Seoul, South KoreaSex for soldiers

    How Korea helped prostitutes work near US military bases


  • LuckyDumped

    The rubbish collector left on the scrap heap as his city goes green


  • Jamal Bryant'Buying black'

    Ferguson campaign targets Black Friday


  • A picture of Michael Brown displayed during his memorial service.Smoke screen

    Why did Michael Brown prosecutors focus on marijuana?


Elsewhere on the BBC

  • UnderwaterHidden depths

    How do you explore the bottom of the ocean? BBC Future finds out

Programmes

  • A model with a projection mapped onto her faceClick Watch

    Face hacking - how to use a computer to turn your face into a work of digital art

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.