RSA offers to replace all SecurID tokens
Northrop Grumman, a major US-based defense contractor, and L-3 Communications, recognized they have been hit by a cyber-attack. According to a leaked memo, company executives believe attackers used information stolen from RSA Security earlier this year. Attackers hit major defense contractor L-3 Communications Holdings by spoofing pass codes from a cloned RSA SecurID token. The attackers may have used a similar method to target another defense contractor, Lockheed Martin. Industry officials said that Lockheed made the security changes suggested by RSA after its attack in March. They included increased monitoring and addition of another password to its remote log-in process. Yet the hackers still got into Lockheed’s network, prompting security experts to say that the tokens themselves needed to be reprogrammed.
RSA is now under critics for not having had the right reaction when the attack was first disclosed.
Art Coviello, RSA executive chairman, said that characteristics of the attack on RSA “indicated that the perpetrator’s most likely motive” was to steal security information that could be used to obtain military secrets and intellectual property. He said that RSA had worked with military companies to replace their tokens “on an accelerated timetable.” Michael Gallant, spokesman for EMC, RSA’s mother company, said, “We have not withheld any information that would adversely affect the security of our customers’ systems. We provided very specific recommendations, we provided details of the attack, and we worked closely with customers to strengthen their overall security.”
The company’s admissions were too little, too late, industry experts said. Mr. McGraw, chief technology officer for Cigital, a computer security consulting company, said that companies would be wise to replace RSA’s tokens and that some companies — banks, in particular — had done so. Like many people, he criticized RSA for failing to disclose the potential danger of the problem to its customers. Another security consultant, Alex Stamos, chief technology officer for iSEC Partners, said that many companies that use RSA tokens were irate about the hacking and RSA’s response. He claimed that RSA misled customers about the potential problems after the initial hacking came to light. By minimizing the problem for six to seven weeks, Mr. Stamos said that RSA made companies more vulnerable.
As a result, Art Coviello sent an open letter to RSA SecureID Customers to offer to replace “SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.“
Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned to replace the tokens as soon as possible. The banks declined to say how many customers would be affected, although SAP said that most of its 50,000 employees used RSA’s tokens and that it was seeking to replace them all. Defense industry officials said that concerns about the tokens had prompted some of the nation’s largest military contractors to accelerate their plans to shift to computer smart cards and other security technology.
In the short term, customers are focused on getting new tokens but the overall outlook is cloudy. “Companies are asking for the new tokens and looking long term to switching away from RSA,” Mr. Stamos said. “If you have 30,000 employees, switching to a new access solution is a yearlong process.” Moving to a new token provider would be costly because it would require them to redesign their online-banking applications as well as help customers — typically high-net-worth customers they do not want to alarm — make the shift to a new system.
Avivah Litan, a longtime financial technology analyst for Gartner, estimated that it would cost banks just under US$ 1 (EUR 0.69) per customer to clean up the mess, even though RSA had agreed to supply new tokens. That would amount to as much as US$ 95 million (EUR 65,80 million) in customer service, mailing and other costs.
Lockheed has said it would keep using the SecurID tokens and would replace 45,000 of them. L-3 Communications is also still using the tokens. However, Northrop Grumman, another giant military contractor, has begun shifting from SecurID tokens to smart cards.