Always wondered when...
... this was going to happen with securid. It's all because of their greed in wanting to remain part of the authentication chain.
Ideally, an authenticator distributor would manufacture the device, program it, copy the programmed code to a disk for the customer (or print it out), and then immediately delete it, so it's never recoverable again. SecurID does a great job of making the fobs themselves write-only; the programming contacts are buried in plastic, with anti-tamper contacts embedded in the plastic while it's still liquid, so that if you ever try to expose the chip again, it destroys itself. Tried it a couple times with a dremel and really fine bits - no matter how delicate, you can't get enough plastic off without resetting the chip. Compared to all the other fobs I've played with, RSA's are the best designed. Vasco's is nicely solid as well, but not quite up to RSA's standard. The good thing about Vasco is that they don't hide their algorithm.
But, instead of doing the job RIGHT, RSA did it lucratively. They keep the programing data, and act (at least for some companies) as the authenticating party. Thus, if they get ripped off like this, it's not just one company that is hosed, it's every company they service. I imagine that they are sending out thousands and thousands of new fobs in a panic - the cost of that, and liability for anything lost from the breach before they're replaced, will probably wipe out every extra cent they made from doing this part themselves. BIG mistake.
Token cards are a fantastic second factor. But you can't mishandle the key material, or you've made the whole system worse than useless.