Security researcher Bernhard Mueller states that mobile applications that create tokens for two-factor authentication can be hacked and cloned by malware.

Mobile Two-Factor Authentication May No Longer Be the Gold Standard in Security Policies

The security expert Bernhand Mueller has published a detailed report on compromising software token generators on mobile devices that are used for two-factor authentication. This method utilizes user authentication to a secure system by using two different components, usually a password or a pin. As the dedicated hardware token generators are becoming obsolete, the software replacements are becoming the standard via mobile applications for the popular smartphone operating systems.

As the generators are standard mobile apps, they are vulnerable to all types of threats that a smartphone may experience – Trojan attacks, misuse, and malware. An attacker with root access can copy the secret token data from infected devices and use it to copy the victim token.

The majority of mobile token vendors employ protection mechanisms that include obfuscation, anti-tampering measures, and cryptography, however not all methods offer the best security.

The security researcher noted that compromising the security features is possible. Mueller demonstrated a proof of concept attack against the RSA SecurID system via code injection tactics. The malicious attacks published in the report showcase key weaknesses in some security systems.

A detailed Sandbox setup is showcased using some of the most popular Android devices. A Successful demonstration has been made using system tracing and some custom code that allowed the researcher to clone the security token generated by RSA SecurID, VASCO DigiPass and Vasco MyBank.

In the paper, official comments from the vendor are also available. The conclusion is that a perfect security system is not possible. Currently, there are no mechanisms that can efficiently prevent attackers with white box access to gain entry into some of the functions used in reproducing the revealed steps.

The best defense against the shown attacks is to secure the mobile token generator with a strong PIN. Using good security measures and defense against malware such as rootkits and Trojans is essential when working with two-factor authentication tokens. You can download the paper and read it for further details.