Security firm RSA offers to replace SecurID tokens

SecurID token, RSA
Image caption The SecurID tokens are widely used to grant access to sensitive information

Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks.

It follows a hack against the company in March where information related to the tokens was stolen.

RSA has now revealed that some of that information was used during the hack attack on defence firm Lockheed Martin.

It is estimated that there are around 40 million SecurID tokens in circulation around the world.

In an open letter to customers, RSA executive chairman Art Coviello confirmed that "information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin".

Lockheed Martin is one of the world's largest suppliers of weapon systems, fighter jets and warships.

Customer trust

Details of both the original RSA breach and that against Lockheed Martin are sketchy but it appears the thieves had a specific target.

"Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related IP, rather than financial gain, personally identifiable information, or public embarrassment," said Mr Coviello.

As a result of the latest findings, RSA will "replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks," Mr Coviello said.

Neither RSA nor Lockheed Martin have said what part the tokens played in the defence giant's security breach.

But experts believe that hackers who broke into RSA collected key information used to generate the tokens, allowing them to create fake ones which could then be used to attempt a breach of secure networks.

Co-founder of security firm SecurEnvoy and former RSA manager Andy Kemshall thinks that is the most likely scenario.

Seed numbers

"The algorithm used by RSA to generate the numbers is available in the public domain so the only thing that stops a hacker from creating numbers is knowledge of what is called the seed record," he said.

Seed numbers provide the root for those generated by individual tokens.

RSA's SecurID tokens are used by millions of people alongside passwords to beef up security. The BBC is among a range of firms to use such tokens to allow staff remote access to its network.

The tokens provide a second layer of security, generating six digit numbers for people to use to log on to bank accounts or corporate networks.

New numbers are generated every minute.

"It appears that somebody was generating six digit numbers in the Lockheed Martin breach and the statistical odds of getting the right numbers is one in 10 million so it seems likely that the hackers had knowledge of the seed records," he added.

But firms considering whether to issue new tokens will have to consider the costs involved, warned Mr Kemshall.

"It is a massive undertaking for organisations such as the BBC and even if you change them there is no guarantee that it won't happen again," he said.

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites