Westpac has relented after initially refusing refusing to replace the SecurID tokens used by business banking customers, folowing RSA’s shock revelation that the hackers that penetrated its firewall in March had since used the data to attempt an attack on Lockheed Martin, a major US government defense contractor.

In a statement made on its Web site following extensive criticisim, Westpac confirmed that it was "initiating a token replacement program, as a result of the recent RSA security issue."

Westpac maintains that online banking has not been compromised, but it will replace SecureID tokens over the coming months for business and corporate customers and Westpac employees.

Harry Wendt, General Manager Online and Customer Service Centres said: “Although we do not believe that our customers are at risk from this event, we have initiated a token replacement program to alleviate any residual concern that our customers may have. There will be no expense for Westpac customers for any token replacements as part of this program.”

He added: “The Bank takes online security very seriously and protects customers through a multi-layered security approach, including strong authentication measures as well as fraud detection and analytics managed by a dedicated team of security and fraud experts. This is supported by best of breed security infrastructure to protect our systems and customer information.”

According to a June 6 statement from executive chairman Art Coviello, RSA does not intend to provide universal replacement of SecurID tokens globally.

Instead, it will “offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.”

According to the Sydney Morning Herald, Australia’s Department of Parliamentary Services, Department of Defence and the Tax office are all arranging replacements of their SecurID tokens from RSA.

The New York Times has reported that major US banks and technology companies are rushing to accept RSA Security’s offer to replace their SecurID tokens.

The random number generated by the SecurID tokens is one element of a four-factor authentication process on the Web, you also need to know where to go with your browser, plus your username and password.

Rob McAdam, chief executive of Australian security specialist Pure Hacking, said even though the tokens were only one part of the Westpac authentication platform, the company should be replacing them.

“If a customer such as Westpac has purchased the RSA product to provide a key part of its security platform, once that product has been compromised it should be replaced. If you are a customer of the bank you should be insisting on a replacement.”