Mark Diodati, an analyst at the research firm Gartner Inc., said RSA has suffered a severe blow to its reputation. “It’s going to be permanent,’’ he said. But while the attack may have compromised millions of SecurID devices, he added, RSA’s underlying technology probably remains secure.
About 30,000 banks, corporations, and government agencies worldwide use the SecurID system to prevent unauthorized access to their data networks.
SecurID requires a user to enter two passwords to gain access to a network. The first password is memorized by the user. The second is a set of random numbers that appear on either a SecurID token or on a piece of software running on that user’s computer or smartphone.
The number displayed on the token, which changes every minute, is based on a unique digital “seed’’ assigned to each token.
RSA won’t say what information was stolen by hackers; but if they stole seed numbers for individual devices, they could calculate the displayed numbers and use them to break into customer networks.
A successful seed theft may have compromised vast numbers of SecurID tokens worldwide. RSA says that beyond the 40 million token devices, another 250 million people use the software-only version.
RSA executive chairman Art Coviello revealed the original breach in March, saying that it could help criminals attack networks that use SecurID.
Coviello said the company would work with its customers to shore up their defenses against such attacks.
Coviello last night issued an open letter to customers, saying that the attack appeared to be part of an aggressive campaign to steal military secrets. “The perpetrator’s most likely motive was to obtain an element of security information that could be used to target defense secrets,’’ Coviello said.
READER COMMENTS »
View reader comments » Comment on this story »