The RSA SecurID authentication mechanism consists of a "token"—either hardware (e.g. a key fob) or software (a soft token)—which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key (known as the "seed").
[4] In the RSA SecurID authentication scheme, the seed record is the secret key used to generate one-time passwords.
Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates.
RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom, and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry.
A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system.
Risk-based analytics can provide additional protection against the use of lost or stolen tokens, even if the user's UserID and PIN are known by the attackers.
[citation needed] A number of competitors, such as VASCO, make similar security tokens, mostly based on the open OATH HOTP standard.
[12] Concerns were raised specifically in reference to the SecurID system, saying that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation".
The breach cost EMC, the parent company of RSA, $66.3 million, which was taken as a charge against second quarter earnings.
It covered costs to investigate the attack, harden its IT systems and monitor transactions of corporate customers, according to EMC Executive Vice President and Chief Financial Officer David Goulden, in a conference call with analysts.
The exploit allowed the hackers to use the Poison Ivy RAT to gain control of machines and access servers in RSA's network.
[17] Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens"[18] lend credibility to this hypothesis.
[23][24] However Lockheed Martin claims that due to "aggressive actions" by the company's information security team, "No customer, program or employee personal data" was compromised by this "significant and tenacious attack".