In March, RSA Security – provider of the SecurID authentication system used by PokerStars – detected an intrusion attempt on their network. “Our investigation … revealed that the attack resulted in certain information being extracted from RSA’s systems,” admitted Art Coviello, Executive Chairman of RSA, in an official statement released soon after the attack.
Then in May, defense contractor Lockhead Martin detected “significant and tenacious” attacks on its computer systems. According to Ars Technica, a popular technology news website, the hacks “were enabled by the creation of duplicate RSA SecurID tokens.”
On Tuesday, The Wall Street Journal reported that RSA had admitted the breach of security occurred due to the data stolen from RSA back in March.
According to the article, RSA has offered to replace the SecurIDs or provide additional “security monitoring” to “virtually every customer we have.”
In an email exchange with pokerfuse, PokerStars, one of RSA’s biggest customers, has confirmed that “The PokerStars implementation has not been compromised” and there was no requirement to issue a recall of players’ securID tokens.
“PokerStars has sought and obtained a briefing from RSA on the security issues and risks at issue here,” responded Michael Josem, part of Pokerstars Game Security Team.
“PokerStars has been advised that no customer data was compromised in this attack. RSA servers do not have access to PokerStars User IDs, passwords, or other PokerStars account information.”
According to the Ars Technica article, the admission that RSA were recalling all security tokens suggests that the original 'seed’ values for each token – the number used to generate all future keys – must have been copied:
[The] wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.
However, Josem re-iterated that there is no impact to PokerStars’ players:
Each business involved may implement RSA Security Tokens in a different way. PokerStars cannot comment on the security arrangements at other businesses – PokerStars’ implementation of the RSA system reflects our unique business requirements and server design.
After March, PokerStars “implemented various internal changes” to ensure player accounts were secure, and they will “continue to monitor the situation and take appropriate action as needed.”