NATIONAL CREDIT UNION ADMINISTRATION
1775 Duke Street, Alexandria, VA 22314
Dear Board of Directors:
The National Security Agency (NSA) issued the two enclosed advisories regarding risks presented by RSA SecurID tokens, products of EMC Corp. that were intended as second levels of defense against computer hacking. A recent security breach at RSA may significantly raise the risk exposure of credit unions that rely on such anti-hacking programs.
The advisories recommend that SecurID tokens issued prior to April 2011 be replaced and that additional steps be taken to safeguard the servers that support the RSA authentication process.
The SecurID token generates a one-time passcode as a second form of authentication for users to access online and network systems. This authentication process might have been compromised during a security breach disclosed by RSA on March 18, 2011. The risk of relying on the tokens issued prior to April 2011 as a second form of authentication is greater than originally assessed.
Impacted credit unions should review the enclosed advisories and follow the instructions to replace the SecurID tokens, as necessary. Credit unions should take steps addressed in the advisories to improve the controls over the RSA authentication process.
If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.