Yay Yay RSA!
The key point I took away from RSA's communications today is that all implications are that it's likely their token seed database was taken and that token codes are predictable, and may be able to be matched to customers.
They didn't say this, clearly, but every action they suggest to mitigate risk points to the fact. The mitigation steps they give are:
Those glaringly point to the possibility that the only thing protecting clients are their PIN codes. If someone has a predictable database of token codes, what do they need to attack to gain access? PINs. What are we told to protect to our last breath? The database of PINs on the Auth Management servers and stop Helldesk people blabbing about things users don't need to know. Also, stop Helldesk people resetting PINs for folks. Scenario:
Caller: Hi this is Bob, I can't log into the VPN.
Helldesk: Are you sure you're putting the token code in right, can I have the Serial?
Caller: Sure, serial is 928374
Helldesk: Have you checked CAPS lock, blah blah num lock etc, yadda yadda
Caller: I know I'm putting the token code in right, can you reset my PIN?
RSA are saying that the data which was copied "cannot directly lead to a compromise, but can lower the effectiveness of current two-factor auth deployments". The only thing that can mean is that those deployments are now actually one-factor deployments.
They have lowered the attack plane with a 4 digit PIN from 1/10,000,000,000 over a 60 second or so span until the token code changes, to a 1/10000 chance of guessing over a much more manageable timeframe, since they don't have to worry about the code rolling over.
Even in the case that you have token lockouts after a certain number of failed attempts, this also appears to be time-sensitive. In tests, I went 4 or 5 failed attempts past the limit on a test device, then entered my PIN correctly, and it let me in. 2 minutes later, my token was locked out. So it seems it does not lock immediately on the 6th failed attempt if you have max failures set to 5. If that's actually the case, then an attacker could try their 10000 PINs in a very short period of time and perhaps squeak in before they get locked out.