Say Goodbye To RSA's Fobs

RSA will have to replace all its SecurID fobs in the wake of the security breach the company announced on March 17. Why? Because no one at RSA knows exactly what the thieves took.

Did the crooks grab source code that spells out SecurID's secret hashing algorithm? You have to assume so. Did they get data on the seeds, which would allow a thief with the algorithm and lots of computing horsepower to duplicate any particular SecurID fob? Again, you have to assume so. And that's enough to require replacing all SecurID fobs and starting over with new seeds.

But instead of trying to shore up the popular but aging SecurID system, there's a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA's secrets, while making things more secure for SecurID users.

Right now, how secure those users are is debatable. RSA Executive Chairman Art Coviello announced that the break-in had been discovered, saying in an open letter to customers only that some of the information grabbed by the thieves "is specifically related to RSA's SecurID two-factor authentication products.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote. In plain English: As long as you still have good passwords, the bad guys still can't get into your systems with the information they stole from us. By itself, though, SecurID is toast.

That's not pleasant to hear, especially for retailers that may be using SecurID to help lock down customer data that falls under PCI. But RSA is being realistic in expecting the worst. And there's every reason to believe RSA will be responsible by swapping out existing SecurID hardware and issuing new software.

That's a start. But no company is immune from cyber attack, and it's a small miracle that SecurID hadn't already been compromised years ago. After all, SecurID started picking up momentum in 1996. It's 15-year-old technology. Back then, even if the secret hashing algorithm and seeds had been stolen, only a huge amount of compute power could have let a thief make real use of the stolen goods.

A decade and a half later, it's a different story.A decade and a half later, it's a different story. With the algorithm in hand, thieves could make use of today's cheap computing to construct the equivalent of "rainbow tables" and mimic how a SecurID fob works. And if the algorithm really is in thieves' hands—even if those thieves don't plan on making it widely available because they want to use it for attacks on specific SecurID-secured targets—it's only a matter of time before SecurID becomes useless.

That is, unless RSA changes the game. Right now, a SecurID fob will produce the same predictable sequence of numbers—at least, it's predictable if you know the hash algorithm and the seed. But what if the seed number could be changed securely at any time? Then even if someone broke into RSA again and stole a database containing every seed for every SecurID fob, the breach would only create a risk until the seed was changed again.

That's impossible with a 1996-era fob. But it's easy today if RSA replaces those fobs with smartphones. A mobile phone can do everything a SecurID fob can do. It can also create a secure connection that's authenticated by the phone's hardware. And change the seed at any time. And wipe itself, if it's reported stolen (at least if it's reported in time). Those are security advantages that the old fobs will never have.

Users are also very likely to notice that, say, their iPhone is lost or stolen. They're a lot less likely to keep constant tabs on a fob that they use at most a few times a day.

Retailers have an even better reason to hope RSA does something like opening up its hash algorithm and shifting to mobile. This might be the first step in much-improved security for mobile payments. Those SecurID fobs would be great for replacing payment-card PINs with one-time passcodes. But there's no way any bank could afford to hand out RSA's pricey hardware to every cardholder (especially because most of those cardholders would promptly lose the fobs).

But replace the fobs with smartphones and suddenly the economics make it practical for RSA to get into the payment-card authentication business. Or if RSA won't do it, some other security vendor can build on what RSA has already done.

There's nothing comforting in what happened to RSA. As security guru Bruce Schneier pointed out in his first-take analysis of the breach, "Security is all about trust, and when trust is lost there is no security." That breach means a major disruption—both in trust and in security—for anyone who uses SecurID. It's up to RSA to squeeze some good out of that disruption.