X

RSA to replace SecurID tokens following breaches

Amid a wave of cyberattack against Lockheed and other companies, the SecurID maker is offering to replace the tokens for customers concerned about risk to their networks and data.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

RSA open letter re SecurID tokens
RSA

Following recent cyberattacks against several defense contractors, in which hackers breached security using stolen SecurID keys, SecurID maker RSA is promising to replace the tokens for customers concerned about the vulnerabilty of their network data.

In an open letter to all SecurID customers, RSA Executive Chairman Art Coviello acknowledged that the likely motive behind the March theft of SecurID token information was to obtain defense secrets and related intellectual property. RSA specifically warned customers at the time that the theft could breach their security.

In late May, defense contractor Lockheed Martin revealed that it had been attacked by intruders who had created duplicates of the stolen SecurID keys. Incidents also occurred at L-3 Communications and Northrop Grumman. Security experts have told CNET that the attacks could be tied to cyberespionage campaigns waged from China.

Related links
China linked to new breaches tied to RSA
Lockheed Martin confirms it came under attack
What the RSA breach means for you (FAQ)

A SecurID token generates a constantly changing series of numbers that employees of a company can use in combination with their own passwords to access their corporate networks.

Though unrelated to the SecurID incident, a wave of cyberattacks have recently hit other companies, including Epsilon, Sony, Google, PBS, and Nintendo, which Coviello said "point to a changing threat landscape and have heightened public awareness and customer concern."

In an effort to calm customers worried about their own security, Coviello said that although he remains confident in SecurID as an authentication system, RSA will expand its security efforts in two key ways:

• It will replace the SecurID tokens for customers that need to protect their intellectual property and corporate networks, which in essence could apply to all of the company's customers.

• It is offering to set up specific "risk-based authentication strategies" for customers with a large number of users who typically conduct online financial transations.

Coviello is promising to work with customers to review their risk levels and user base to determine which option would be most effective and yet the least disruptive to their operations.

Beyond these measures, Coviello said that the company plans to continue to invest in its SecurID technology in an attempt to strengthen its authentication and its ability to detect "suspicious behavior targeted at networks, transactions and user sessions."