2011-10-28

All your RSA token seeds are safe ;)

As many of you are aware RSA, the company not the public key cipher, had some security issues.  In particular it related to an APT (Advanced Persistent Threat), really it's called a Trojan and they are not new, and compromises of SecureID tokens.  Well, it seems that their initial statements that no token seeds were compromised and all the various PR double-speak were outright lies.  Many are already aware of this fact but I was quite surprised to finally see a response from a company that I have such a token from.

For one of my banks I could purchase a Secure ID token for somewhere between $20 - 30 USD for the device and then pay $5 USD/mth for the privilege of using it.  I should note that this token is actually not capable of being part of my actual bank sign on.  It is only part of vSafe which stores things like all your statement history since you opened your account and any documents up to 1 GB that you wish to put there.  They claim it is encrypted, no details available, but that they will turn over all your data to law enforcement if necessary so likely by encrypted they mean the SSL *to them* and not the actual data.

After the RSA Secure ID breach I started sending emails, calling, and so on to demand they replace my now compromised token.  Most people that I encountered did not even know they offered this and the general response was that it might be more secure to terminate my token and use the SMS 24 hour codes instead.  That's right a code sent to you via SMS that is valid for 24 hours *or* your Secure ID token that changes a bit more regularly than that.  Others helpfully offered to disconnect my token and then charge me $20 - 30 USD to have a new one shipped.  Of course maybe I would just get part of the bad batch again.

Much to my surprise I received a FedEx package with this letter and a new token.  I would like to highlight some things like "ongoing security process."  My old token has an expiration of 2013-12-31 and was issued 2010-05.  My new token has an expiration of 2016-12-31.  Really, their ongoing security process includes issuing new tokens less than 1.5 years later and some 2+ years in advance of the expiration?

I also like the fact that the document ends with SSA_L_AllTokenReplacement which seems like some sort of internal document name.  I wonder why there would be a need for AllTokenReplacement?

For those not yet aware of devices such as the Yubikey then I suggest you look into them.  Between cheaper token costs, ability to use their auth server or with Kerberos run your own, etc. they are much more cost effective than the RSA tokens and all details are publicly available.