The security of thousands of Westpac customers, who use an RSA security token to transfer money from their accounts, could be compromised after “an extremely sophisticated cyber-attack”. Westpac has not commented on how serious the situation is.RSA is a subsidiary of data storage giant EMC. The tokens are small devices which generate a digital security code that changes every 60 seconds. It is usually used together with a static PIN or password to access a computer system.
Other Australian customers include Telstra and Virgin Blue, the federal departments of Defence, Treasury, Prime Minister and Cabinet, Veterans Affairs and Parliamentary Services, along with the Australian Electoral Commission, Family Court, Geoscience Australia, AusAid and Crimtrac.
RSA has refused to say how its system was compromised and what specific kinds of threats its customers are facing. Its Web site continues to claim the SecurID system has never been breached in 15 years.
In an open letter to customers, RSA’s North American HQ said an investigation into the attack revealed that it had “resulted in certain information being extracted from RSA’s systems”. The stolen data was “specifically related to RSA’s SecurID two-factor authentication products” and the attack “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” the security firm said.
Observers say one potential weakness that could be exploited involves a factory-installed key called a seed. Typically 16 characters long, it is different for each token and is stored on a corresponding server program, which authenticates the session each time a user connects to a secure network.
If the database containing customers’ seeds was cracked, the intruder might still not know which user had which seed, but cryptographers said it would be possible to use a reverse-engineered version of the RSA algorithm to determine that information by simply capturing a single log-in session.