Anywhere Computing Makes 2FA Insecure On iOS and Android

An anonymous reader writes: Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. The vulnerability leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers. The researchers note the text (PDF). While anywhere computing is generally considered to be a good thing, the research claims that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the man-in-the-browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.

This isn't new..

I heard two stories just recently about people abusing 2FA. One guy was a contractor, who sub-contracted all of his work (for multiple employers at once!) to programmers in China.. he had mailed his RSA key to them so they could log into the VPN on his behalf and do his work. Funny thing is, they did quality work apparently, and the guy was winning awards for high productivity/quality in the companies he contracted for...

Another story related how someone had just set up a webcam, again, pointing at an RSA token, so they could log in from anywhere. Hope their webcam was secure from 3rd party eyes! (not likely).

Unless the 2FA is grafted into one's body and somehow detects duress too, it'll be susceptible to unauthorized use, just like anything else. It's really about estimating acceptable risk -- everything's hackable.