The token hardware is designed to be tamper-resistant to deter reverse engineering. Token catalog older versions of SecurID, a “duress PIN” may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication. Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled.
This is significant, since it is the principal threat most users believe they are solving with this technology. The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the preset time span of activation. All further consideration presumes loss prevention, e.
While RSA SecurID tokens offer a level of protection against password replay attacks, they are not designed to offer protection against man in the middle type attacks when used alone. This has been documented in an unverified post by John G. Although soft tokens may be more convenient, critics indicate that the tamper-resistant property of hard tokens is unmatched in soft token implementations, which could allow seed record secret keys to be duplicated and user impersonation to occur. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. Batteries go flat periodically, requiring complicated replacement and re-enrollment procedures.
25 million devices have been produced to date. On 17 March 2011, RSA announced that they had been victims of “an extremely sophisticated cyber attack”. Concerns were raised specifically in reference to the SecurID system, saying that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation”. The breach into RSA’s network was carried out by hackers who sent phishing emails to two targeted, small groups of employees of RSA. Attached to the email was an Excel file containing malware.
When an RSA employee opened the Excel file, the malware exploited a vulnerability in Adobe Flash. There are some hints that the breach involved the theft of RSA’s database mapping token serial numbers to the secret token “seeds” that were injected to make each one unique. Reports of RSA executives telling customers to “ensure that they protect the serial numbers on their tokens” lend credibility to this hypothesis. On 6 June 2011, RSA offered token replacements or free security monitoring services to any of its more than 30,000 SecurID customers, following an attempted cyber breach on defense customer Lockheed Martin that appeared to be related to the SecurID information stolen from RSA. In April 2011, unconfirmed rumors cited L-3 Communications as having been attacked as a result of the RSA compromise.