Few months ago when I posted about security vendor RSA gets hacked, were not any information from them regarding their RSA SecurID. To refresh part of information to you, there were 40 over millions of RSA SecurID products distributed world wide and each of and every piece of them are compromised. On top of that, they even kept silenced when questioned about the specific are that got compromised on the RSA SecurID. It is claimed that the Seed Code (secret key) of each RSA SecurID were stolen and some even claim that the algorithm to generate the random security number were stolen.
RSA SecurID to be Replaced Now
The Executive Chairman of the security vendor, Art Coviello issued an open letter to all the RSA SecurID customer that the company is ready to replace tens of millions of RSA SecurID device. The stress from all the customers towards this issue on the security vendor finally pays off. Personally, I had already expected this to happen but my question is that, will all the RSA SecurID be replaced or only those device that are going to be used for certain application to be replaced? It remains a doubt to me but no impact on me as I am not a RSA SecurID customer. The number of devices issued out is too much and we are not sure how much loss they will suffer in this action. It is tough to build the trust between a security device vendor and their customers isn’t it?
From the open letter as well, it was mentioned clearly that what they are going to do next to their customers. As part of their building trust strategy with their customer with RSA SecurID, they will receieve:
- An offer to replace RSA SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
It is also firmly said that the recent attack to Sony, Epsilon, Google, PBS and Nitendo had nothing to do with the compromised RSA SecurID. The only attack admitted by them was the network intrusion on Lockheed Martin which caused the network to have a major disruption. It was because the employees of Lockheed uses the RSA SecurID to login into the network to access some sensitive data and that compromised device had caused the disruption. As stress begin to grow, RSA had no other choices but to announce the replacement of their devices.
RSA SecurID – My Verdict
In my opinion, RSA made a great sacrifice to replace the compromised devices. If those RSA SecurID were not replaced, they are going to lose more business in the future anyway and thus, it is a lose-lose situation to them. Having the decision to replace the devices, it creates confidence to their customers to continue to invest in their future product. I strongly support the move by RSA this time around and I am sure that, with the lesson they learned from few months back on the compromised RSA SecurID, they are going to grow stronger in their IT security protection knowledge.