Mobile apps that generate on-screen tokens for two-factor authentication can be examined and cloned by malware, a security researcher warns.

Fraudsters and crooks can take these clones and generate the codes necessary to login into bank accounts and other online services as their victims.

Banks are increasingly relying on these soft tokens to authenticate users, but the smartphone-based technology introduces new risk compared to traditional hardware tokens. The effort required for creating a cloning tool depends on the quality of reverse engineering defenses, according to security researcher Bernhard Mueller, director of Vantage Point Security.

Hacking widely used versions of mobile two-factor authentication (2FA) technology is far from easy, but nonetheless possible for a skilled and resourceful attacker.

“Cloning Vasco Digipass was a large effort (~7 weeks) and in my opinion their defenses are actually quite good,” Mueller told El Reg. “The tool for RSA SecurID took only two weeks to develop. RSA’s official stance is that they don’t recommend using rooted devices, so they have only little additional defenses.”

RSA is yet to respond to a request from El Reg to comment on the research. Vasco said the weaknesses highlighted by Mueller only apply to its demonstration apps, namely Digipass for Mobile demo and MyBank, which are not protected in the same way as production apps.

“The attack that this paper describes is only an attack against our demo application,” said John Gunn, vice president of corporate communications at Vasco Data Security. “There is a significant difference between a demo app and the real world,” he added.

The official response from both vendors is included in a paper [PDF, 68 pages] entitled Hacking Mobile Tokens, put together by Mueller and presented at the recent Hack In The Box conference in Singapore. The security researcher, who put together proof of concept tools and slides as part of his research, concludes that his research serves to illustrate that most anything is hackable, given enough time and resources.

Perfect obfuscation is impossible. There is no way to prevent an adversary with white-box access to some function from eventually comprehending and reproducing that function. Mobile tokens are no exception from that rule, so users should be aware that no amount of software protection will truly shield their 2FA credentials from adversaries with root-level access.

The security researcher recommends various mitigation strategies based on his research.

“Enterprises and private users should be warned to always activate PIN mode when using these products,” Mueller told El Reg. ®