I apologize for the cross post, but I believe this encompasses all of the
mailing lists to which the original announcement was sent.
> SecurID Vulnerabilities White-Paper
> Due to increased recent interest that has been witnessed on the net
> about the SecurID token cards and potential vulnerabilities with their
> use, we offer a white paper on some of the vulnerabilities that we believe
> have been witnessed and/or speculated upon.
I appreciate the conclusion of the paper which finally does proclaim that
SecureID (and other one time password tokens) are extremely vulnerable.
The vulnerabilities described seem to be overly esoteric, however.
Unmentioned is perhaps the most serious flaw in one-time password systems:
session hijacking atttacks.
It's trivial for an intruder to monitor the network, waiting for a user
to legitimately authenticate themselves. Once authenticated, the intruder
can hijack that user's connection and assume his credentials. This type of
attack can even be automated. (If you believe hijacking is only a theoretical
attack, see http://www.engarde.com/software/ipwatcher . Versions of our
software have existed for about 4 years, and recently we've begun seeing some
public domain hijacking tools available).
The author does mention the use of combination encrypted sessions and one
time passwords, which seems to be the best solution at present.