A criminal might be able to achieve this by posing as a network administrator and emailing a victim, telling them to visit a Web site and to log in with their password and SecurID login number. With just a couple of successive log-ins, hackers could figure out which of the millions of seed numbers was used to generate the log-in numbers. Or they could identify the seed numbers by asking victims to enter their tokens' serial numbers, say as part of a security audit, and then look that serial number up in their stolen database.
Whether all RSA customers need to worry about this type of attack is unclear. It may be that whoever hacked the company was only looking for seed numbers associated with a particular customer -- Lockheed Martin, for example. It could also be the case that the hacker is about to publish all of the seed numbers on a public website, sending all SecurID customers scrambling for cover. It may be that RSA doesn't actually know how much data was taken.
The lack of a clear explanation has led to a lot of chatter among security experts.
"The RSA situation has been going on for a couple months now, with no shortage of rumors swirling about what was lost, and no real guidance from RSA on the risk to their customers (at least none outside of NDA)," wrote Dan Kaminsky, an independent security researcher, in a recent analysis.
The confusion has caused some perception problems for RSA about its products, said the chief security officer at one company who spoke on condition of anonymity because he didn't want to jeopardize his company's relationship with RSA's parent company, EMC. "As a buyer right now, their name is just something I'd stay away from," he said. "Do you want to tie your reputation to them and not know enough?"
RSA said it can't say any more about what was taken, or by whom, for "security reasons." People familiar with the situation said disclosing exactly what data was taken could potentially harm the reputation of some RSA customers, which is something RSA is taking pains to avoid.
Christopher Ipsen, chief information security officer for the State of Nevada, said his organization plans to take RSA up on its offer to reissue SecurID tokens. But he said he understands why RSA might be reluctant to release details of the attack. "You don't want to give too much information out about the exploit," he said. "But there is an appropriate time when full disclosure is imperative."
Three months after the RSA attack, how far away is that "appropriate time"?
"I think we're really close," Ipsen said.
Sign up for CIO Asia eNewsletters.