Is Barclay's Pinsentry part of RSA SecureID - and compromised?

John Lamb ukcrypto at lawnjam.com
Mon Mar 28 13:22:59 BST 2011 

I would say this attack looks serious for any banks who *are* using SecurId.

SecurID starts with a seed and continually changes over time. The security is
based around the secrecy of the seed - being able to respond with the current
number on the token proves that either you have the token itself, or you have
the seed for the token and the algorithm to generate the values.

If an attacker had all the seeds issued to an organisation, then they could
identify your token by capturing the current number on your SecurID at a known
time and comparing it to a generated list of the numbers all the issued tokens
would have been displaying at that time. 
Once they have identified your token's seed they can impersonate you at any
future time. If the attacker is targeting internet banking then they have
already trojaned your PC and captured your login details, so capturing the
token value as well is trivial.

John

On Sun, Mar 27, 2011 at 11:31:42PM +0100, Tony Naggs wrote:
> No, RSA SecurID is a quite different technology.
> 
> An RSA SecurID token is physically a standalone object, about 2" * 1"
> * 1.2", with LCD showing a 6 digit number that changes every minute.
> Each token has a unique serial number, and maybe secret customer
> identification number for each company that uses the system, that are
> the base deriving the displayed number. (Details are not published by
> RSA.)  The token serial number is registered for user with the
> company, and then the remote user identifies herself with both a
> password or PIN (something she knows) and the currently displayed
> number (something they have). Hence is the basis of so called two
> factor authentication.
> 
> Speculation about RSA SecurID being broken is guessing that some
> secret design aspects of the system have been stolen, or maybe a list
> of companies using SecurID & the embedded per company secret seed
> numbers. Even if true a bad person would still have to have some very
> specific information for it to be of use: a user's account, their
> normal password and/or PIN, and the serial number of the SecurID
> token.
> 
> Regards,
> Tony
> 
> On 27 March 2011 11:11, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:
> > http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/
> >
> > Is the Barclays pinsentry an example of RSA SecureID?
> > AFAIAA NHS smartcards are not - unless there is something in Gem
> > Authenticate (installed on the PC) - using this technology.
> >
> > Mary Hawking
> >
> 
>

More information about the ukcrypto mailing list