The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.

Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?

I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.

Ive been to several conferences where companies are rolling out this phone as a payment platforms.. Its a scam designed to get gulible journalists interested and either boost company exposure, dupe investors into buying shares or prove that X manager is being "innovative". Some are literally RFID credit card sim cards sticky taped onto the back of a mobile I kid you not. The reality is that everyone has a physical wallet/purse and that isnt going away any time soon. Also there are many things in that wallet which cannot be replaced by a mobile phone. Also are these the same journalists who write the "New Android Malware" articles which come out every week?

If they were really serious they would have fled to Singapore http://en.wikipedia.org/wiki/Income_tax_in_Singapore 0%-max 20% GST 7% corp taxes almost non existent. I laugh when I see the online "raise US taxes" brigade. And a commited well educated workforce. Whats more Singapore is booming like most of East Asia so the real market is just next door. The only thing is they dont have an open immigration door policy like America so getting in the front door could be hard but life is good and if you are in there is zero chance you will become a victim of crime.

Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.

If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.

Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.

Time for 2FA authentication to be rolled out over bitcoin operators. The anonymity element makes it a huge juicy target for hackers, they need to start connecting it to something physically offline. I am working on a bitcoin wallet for shieldpass.com access tokens and then mutually authenticating each transaction.

What about putting a second offline non electronic factor like a www.shieldpass.com card over the top of the container?

The topic is online banking authentication so your points are mostly off topic. -It could easily be configured for use with email, ssh, imap, ldap, radius, etc -The amount of digits required from the user is configurable to any amount, it is a rolling password so while the demo requires 4 it could be 20 same goes for the amount of transaction information encoded into challenges. Even though its off topic il bite -I dont buy the argument that your phone screen is more personal than any other screen. If ninjas are in your house / office taking secret snapshots then the same kind of photographic attack or other cloning / switching of devices etc could be done against almost any device / terminal display / set of keys and you have bigger problems, that proximity attack argument could go on forever ending in a rubber hose. For what its worth the visual key patterns can be obfuscated with transflective laminates etc very cheaply or for a few bucks extra could be electrochromatic like any device but the cost justification just isnt there when a piece of plastic only costs a few cents and it is designed for online authentication. Personal attacks are beyond the scope and frankly with the developments in remote electronic scanning I feel more secure about these non electronic cards than my RFID cards. For online authentication it solves the MITM attack problem and does it extremely cheaply.

Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues. The 2 European banks in the following article were using transaction signing tokens http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians and mobile sms trojans have been around for awhile now http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.