Join the Community

21,807
Expert opinions
43,930
Total members
420
New members (last 30 days)
194
New opinions (last 30 days)
28,633
Total comments

What to do about the SecurID hack?

Be the first to comment

 

RSA's public response to the compromise of its famous SecurID One Time Password is curious.  On the one hand, it's admirable to have disclosed that they've been 'hacked'; on the other hand, their public releases have been short on details, and some corporate customers who have enjoyed private briefings say they're none the wiser.

By way of countermeasures, so far RSA has provided only vanilla security advice, like monitor unauthorised access and maintain strong security policy.

I haven't used SecurID for many years but I had two of them for a while in the early '00s, one for logging on to a corporate VPN and the other for Internet banking. I recall it was standard practice at the time to have a static password (and user name) as well as the OTP. Is that still the case?

If so, then the first response by any corporate to this compromise is surely to have all SecurID users change their static passwords. If attackers have the master keys to SecurID, they still shouldn't be able to take over user accounts without also knowing the static passwords. 

For VPNs and internal corporate users, I would also suspend remote access to as many non-critical accounts as possible, and monitor them for unauthorised usage.

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,807
Expert opinions
43,930
Total members
420
New members (last 30 days)
194
New opinions (last 30 days)
28,633
Total comments

Trending

Fang Yu

Fang Yu Co-Founder and Chief Product Officer at DataVisor

Navigating Holiday Fraud: Key Strategies for BNPL Providers

Alexander Boehm

Alexander Boehm Chief Executive Officer at PayRate42

Do Stablecoin Issuers in the EU Need an EMI License?

Now Hiring