Westpac has become the third bank to dump compromised RSA SecurID tokens used by staff and corporate customers.
It follows confirmation from RSA that its two-factor authentication tokens were compromised in a complex attack on its network in March.
Westpac's announcement comes hours after ANZ Bank said it would replace its fleet of SecurID tokens.
SC Magazine Australia understands Perth-based Bank West has also begun replacing its compromised SecurID tokens.
In a statement sent to SC Magazine today Westpac said "although the security of customers’ online banking has not been compromised, Westpac will replace tokens over the coming months to ease any customer concerns."
Those concerns would have intensified after three major US defence contractors were hacked in attacks linked to the compromised SecurID tokens.
Westpac online and customer service head, Harry Wendt, said the bank does not consider the tokens a risk.
"Although we do not believe that our customers are at risk from this event, we have initiated a token replacement program to alleviate any residual concern that our customers may have."
St. George and BankSA customers do not use RSA Secure ID tokens.
Not dead yet?
RSA continues to defend its two-factor authentication system despite the growing number of banks and government agencies turning away from it.
“Lets be clear, two-factor authentication is not dead,” said Andy Solterbeck, general manager at RSA, Australia and New Zealand at the EMC Inform conference today.
“It just has to be part of a multi-layered defence.”
Solterbeck said banks should consider investing further into the RSA stack, with technologies he describes as “risk-based automation”.
RSA said it would partner closely with banks and other organisations with critical infrastructure to glean intelligence about typical use of their networks and applications, such that the security vendor can accurately assess the risks of any given transaction.
Calculating this risk would depend on such factors as the IP address the transaction originates from, IP and MAC addresses and other user credentials.