June 2011 Archives

RSA SecurID may not be secure.

Reports are surfacing that RSA is offering to replace secure tokens, commonly called FOB's, for its customers. This suggests that the data theft at RSA, reported in March, may have included data about RSA's number algorithms. If this is true then potentially every RSA token number could be guessed meaning that only the PIN number is secure. Most PIN numbers are short, making this effectively an insecure password.

Two factor authentication, such as RSA offers, is an excellent approach to secure authentication. Is it, however, wise to trust it all to a single organization? RSA found itself in a tough spot. Disclose the danger and possibly encourage the thieves to quickly attempt to use their booty or say nothing an hope to make a fix before the theft is put to nefarious use. This is a old argument and I don't mean to recall it here. I only wish to make organization and security professionals think about what it means to have another organization manage part of your security. This is especially true when that organization keeps much of their product secret. Call it security by obscurity, copy right or intellectual property the result is the same. 'Trust us, we'll keep you safe.' Will they?

Further reading