I am still seeing and hearing a fair amount of tweets and speculation about what the RSA Breach that was announced by Art Coviello, Executive Chairman, RSA.
There seems to be a lot of people worried about this particular breach stating that the RSA SecurID tokens have become "useless" or advocating that you request that RSA replace every one.
There are also reports that some companies are trying to cash in on the breach.
My are my thoughts on this. These tokens and cards are used as "Two-Factor" auththentication.
Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity. Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important as it implies a higher probability that the bearer of the identity evidence indeed holds that identity in another realm (ie: computer system vs real life). In reality there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion, than simply how many "factors" are used.
So in the sense of the SecurID tokens in order to authenticate against an ACS or ACE server mechanism you need at least two things, and in most cases, you need at least 3 things. The username of the target, the pin code, usually a 4 - 8 digit code prepended to the "passcode" and the one time use code that is generated from the token.
And this is exactly how I read the following statement from RSA:
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
The breach does not allow any direct attack against an RSA SecurID authentication scheme installation.
So, the thing to watch out for is targeted spear phishing style attacks and sites requesting the serial number of your token. If you manage a SecurID installation, watch out for repeat lockouts from unexpected locations.
Educate your user base about keeping their PIN codes secure and un-guessable. Basically the same rules they would have for their ATM card (Although don't use the same numbers). And tell them how and where to reset their tokens when they are put into Next Token Mode.
Other than these things, this is not huge deal for your SecurID impementation.
So this leads back to my post the other day in regards to their other security products that are supposed to protect their customers from these types of attacks. Where were these products on their network?
And what is up with the lack of information coming from RSA regarding this breach? It's been 10 days since the open letter and there is a lot of speculation, but nothing from RSA directly.