Say Goodbye To RSA’s Fobs

Written by Frank Hayes
March 23rd, 2011

RSA will have to replace all its SecurID fobs in the wake of the security breach the company announced on March 17. Why? Because no one at RSA knows exactly what the thieves took.

Did the crooks grab source code that spells out SecurID’s secret hashing algorithm? You have to assume so. Did they get data on the seeds, which would allow a thief with the algorithm and lots of computing horsepower to duplicate any particular SecurID fob? Again, you have to assume so. And that’s enough to require replacing all SecurID fobs and starting over with new seeds.

But instead of trying to shore up the popular but aging SecurID system, there’s a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA’s secrets, while making things more secure for SecurID users.

Right now, how secure those users are is debatable. RSA Executive Chairman Art Coviello announced that the break-in had been discovered, saying in an open letter to customers only that some of the information grabbed by the thieves “is specifically related to RSA’s SecurID two-factor authentication products.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello wrote. In plain English: As long as you still have good passwords, the bad guys still can’t get into your systems with the information they stole from us. By itself, though, SecurID is toast.

That’s not pleasant to hear, especially for retailers that may be using SecurID to help lock down customer data that falls under PCI. But RSA is being realistic in expecting the worst. And there’s every reason to believe RSA will be responsible by swapping out existing SecurID hardware and issuing new software.

That’s a start. But no company is immune from cyber attack, and it’s a small miracle that SecurID hadn’t already been compromised years ago. After all, SecurID started picking up momentum in 1996. It’s 15-year-old technology. Back then, even if the secret hashing algorithm and seeds had been stolen, only a huge amount of compute power could have let a thief make real use of the stolen goods.

A decade and a half later, it’s a different story.


One Comment | Read Say Goodbye To RSA’s Fobs

  1. A Reader Says:

    Regarding the suggestion that fobs be updateable (or worse, be replaced by an app in a smartphone,) you’re missing the greater security issue of trust that a sealed system provides.

    If the secret seed can be replaced, then it can be replaced by a bad guy who knows what sequences his replacement seed will produce. If you have an extra-secret tamperproof key that protects the ability to inject a new seed, then that’s exactly as “trustworthy” as the seed itself needs to be, and the replacement process is simply an extra cost burden (plus a risk).

    A smartphone app is much, much worse. How do you know you’re looking at the real RSA Token App? You might be looking at Bill’s Malware Trojan RSA App, or your real app might be infected with Brad’s RSA App-Sniffer App. An end user has no way of knowing if his phone is compromised.

    A sealed tamperproof hard token, with only human readable air-gap access to its data, is still one of the most trustworthy designs available to put in the hands of the general population.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.