Security researcher Bernhard Mueller states that mobile applications that create tokens for two-factor authentication can be hacked and cloned by malware.
The security expert Bernhard Mueller has published a detailed report on compromising software token generators on mobile devices that are used for two-factor authentication (usually a password or a pin). The software token generators are replacing the dedicated hardwares, by the time obsolete.
The software generators are becoming the standard via mobile, but they are vulnerable to all types of threats that a smartphone may experience – Trojan attacks, misuse, and malware. An attacker with root access can copy the secret token data from infected devices and use it to copy the victim token.
Compromising the security features is possible, says the researcher. Mueller demonstrated a proof of concept attack against the RSA SecurID system via code injection tactics.
A detailed Sandbox setup is showcased using some of the most popular Android devices. A Successful demonstration has been made using system tracing and some custom code that allowed the researcher to clone the security token generated by RSA SecurID, VASCO DigiPass and Vasco MyBank.
For Muelller, the conclusion is that a perfect security system is not possible, but for us the perfect security could be.
Thanks to the strong competence in behavioral and biometric analysis, with our product MORE® we are able to know if a transaction was securely executed and if the users really are who they say they are, providing stronger identification of advanced cyber attacks.