Westpac, ATO replacing SecurID tokens

Westpac, ATO replacing SecurID tokens

Summary: Following the example of ANZ Bank, Westpac Banking Group is set to replace all of its RSA SecurID tokens.


Following the example of ANZ Bank, Westpac Banking Group is set to replace all of its RSA SecurID tokens.

RSA tokens

(RSA SecurID Resurrection image by
Travis Goodspeed, CC2.0)

"Although the security of customers' online banking has not been compromised, Westpac will replace tokens over the coming months to ease any customer concerns," said Harry Wendt, general manager of Online and Customer Service Centres, in a statement today, adding that the tokens are used by business and corporate customers, as well as Westpac staff.

The bank had initially said that it would not replace the tokens, but has now changed its tune.

"Our customers' trust in the security of our systems is paramount. Although we do not believe that our customers are at risk from this event, we have initiated a token replacement program to alleviate any residual concern that our customers may have," Wendt said.

Westpac told ZDNet Australia today that the replacement of the tokens would take place "over the coming months". Westpac declined to comment on the number of tokens it had in circulation.

ZDNet Australia reported that ANZ Bank would be replacing its fleet of 50,000 SecurID tokens, while the Commonwealth Bank said yesterday it would keep them pending negotiations with RSA.

Westpac, like ANZ, won't be charging customers for token replacements.

The Australian Taxation Office and, according to SC Magazine, Bankwest will be issuing replacements.

The situation remains a little more unclear with Telstra, with the telco not confirming whether it would replace its tokens. The company said in a statement that it had been working with RSA on the issue since March and was confident that the issue would not impact its customers, its data or its records, due to its multi-layered security approach.

Executive chairman of RSA, Art Coviello, told The Wall Street Journal this week that the company will replace the SecurID tokens "for virtually every customer we have", amidst the news that breached SecurID tokens were involved in the thwarted attack on US-based defence contractor, Lockheed Martin.

Topics: Government, Banking, Government AU, Security, Telcos, Telstra

Luke Hopewell

About Luke Hopewell

A fresh recruit onto the tech journalism battlefield, Luke Hopewell is eager to see some action. After a tour of duty in the belly of the Telstra beast, he is keen to report big stories on the enterprise beat. Drawing on past experience in radio, print and magazine, he plans to ask all the tough questions you want answered.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fantastic guarantee - no maybe - no doubt - reported according Westpac as follows that customer security "..has not been compromised.." by the RSA token problem. More of this please!
    After all - just why should any compromise of RSA's systems have anything at all to do with Westpac's, or any body else's tokens. The VERY FIRST rule of cryptographic security, and a company like RSA named after three of the most famous cryptographers in the world which must know this, is that key materials / values MUST not be available outside the system itself. In simple English, NOTHING that RSA had should be related in any way to any token used by Westpac or its cutsomers - and Westpac and all the others should have insisted on that - not token "master" key / manufacturer key / production run key or anything like that. Over to RSA - just what in the world is going on?
  • @1401 what you need to understand is that the source code detailing how the RSA tokens work was stolen. The SecurID token works by generating a random "next number" that a human can't easily work out just by looking at someones token. However, computers can work it out if it knows the maths used to generate the next code, and now the code is out there for anyone to make programs that can figure it out too. I have a feeling RSA might be under playing the issue as replacing the tags doesn't really solve the problem - but it would be hard for RSA to admit there sacred SecurID tags are no longer secure at all.
    • Having worked with these token systems for 30 years now I can tell you that there is more to it than just a simple pseudo-random number generator. Withour divulging the broad architecture, random sequences are XORed with stored crypto keys, actually a number of keys that related to the token itself, its manufacturer, its issuer, etc. My point was simple - NO keying data relevant to the issuer or end user should be in the possession of RSA, even if the verifying stub software (e.g. zOS, inside an HSM, etc., etc.) has to have some data for verification purposes
  • @hsvandrew what you need to understand is that the source code isn't sufficient to predict the next number. You need it, but you need other stuff as well.
  • I always felt that a token generated based on an algorithm can be hacked. SecureID implementation is totally disconnected and no dynamic key negotiation can happen between the client and the server.