Community
RSA's public response to the compromise of its famous SecurID One Time Password is curious. On the one hand, it's admirable to have disclosed that they've been 'hacked'; on the other hand, their public releases have been short on details, and some corporate customers who have enjoyed private briefings say they're none the wiser.
By way of countermeasures, so far RSA has provided only vanilla security advice, like monitor unauthorised access and maintain strong security policy.
I haven't used SecurID for many years but I had two of them for a while in the early '00s, one for logging on to a corporate VPN and the other for Internet banking. I recall it was standard practice at the time to have a static password (and user name) as well as the OTP. Is that still the case?
If so, then the first response by any corporate to this compromise is surely to have all SecurID users change their static passwords. If attackers have the master keys to SecurID, they still shouldn't be able to take over user accounts without also knowing the static passwords.
For VPNs and internal corporate users, I would also suspend remote access to as many non-critical accounts as possible, and monitor them for unauthorised usage.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Andrew Ducker Payments Consulting at Icon Solutions
19 December
Jamel Derdour CMO at Transact365 / Nucleus365
17 December
Alex Kreger Founder & CEO at UXDA
16 December
Dan Reid Founder & CTO at Xceptor
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.