UK resellers of RSA two factor authentication products have complained about a lack of information from RSA regarding a breach of its systems.
Infosec Technologies, which resells RSA SecurID among other two factor authentication products, told ZDNet UK on Friday that it was considering changing its business model when due to the breach, and a lack of communication from the company.
"We're really concerned, because we don't know what's been breached," said Infosec Technologies managing director Pete Sherwood. "This is really serious. We sell RSA... but now we are having doubts about this strategy."
Sherwood said some of his customers had contacted Infosec Technologies for information, and that he had not been able to advise them. The only contact from RSA had been to confirm his company's RSA customer list, said Sherwood.
One UK reseller, which wanted to remain annoymous, said that it was not aware of having received any information from RSA.
An employee for UK SecurID reseller Metadigm said the company had been kept 'in the dark' about the nature of the breach, aside from what was in the public domain. RSA has submitted an SEC filing, and Executive chairman Art Coviello published an open letter about the hack.
Coviello said that "the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products."
RSA rival SecurEnvoy, which is co-run by ex-RSA employee Andrew Kemshall, said there was a possibility that keys for RSA SecurID tokens called 'seed records' may have been compromised. A seed record is 128 bits of data that RSA links to individual authentication tokens, and uses with an algorithm to generate pass numbers. Should seed records have been exposed to hackers, then SecurID products would only have a four-digit PIN to stop unknown hackers authenticating themselves as users, said Kemshall.
"If the data is seed records, there's a tool called Cain and Abel that allows you to put in the customer record and get the same number as a token," said Kemshall.
RSA had not responded to a request for comment at the time of writing.