In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” attack had extracted information related to RSA’s SecurID two-factor authentication products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.
Coviello said that RSA did not believe that customer or personally identifiable information was compromised by the attack. RSA provided no additional information on what part of the SecurID product had been breached.
Kemshall, whose company provides a tokenless two-factor authentication product, is concerned that the attackers gained access to the SecurID seed record database.
“What RSA customers don’t know is whether the data includes seed record information. Each token sent out by RSA has an associated secret key called a seed record. If that information is compromised, then it is possible for a hacker using such tools as Cain and Abel to recreate exactly the same number as the end user token has. The strength of the two-factor authentication requires that the seed record be maintained in secret”, Kemshall told Infosecurity.
“So customers are very nervous right now. They cannot have confirmed or denied [by RSA] whether or not their seed records and therefore their tokens have been compromised”, Kemshall said.
Asked whether the seed record database had been compromised, an RSA spokesman declined to comment further on the breach.