RSA's public response to the compromise of its famous SecurID One Time Password is curious. On the one hand, it's admirable to have disclosed that they've been 'hacked'; on the other hand, their public releases have been short on details, and some corporate
customers who have enjoyed private briefings say they're none the wiser.
By way of countermeasures, so far RSA has provided only vanilla security advice, like monitor unauthorised access and maintain strong security policy.
I haven't used SecurID for many years but I had two of them for a while in the early '00s, one for logging on to a corporate VPN and the other for Internet banking. I recall it was standard practice at the time to have a static password (and user name) as
well as the OTP. Is that still the case?
If so, then the first response by any corporate to this compromise is surely to have all SecurID users change their static passwords. If attackers have the master keys to SecurID, they still shouldn't be able to take over user accounts without also knowing
the static passwords.
For VPNs and internal corporate users, I would also suspend remote access to as many non-critical accounts as possible, and monitor them for unauthorised usage.