'possible for a skilled and resourceful attacker'.
would that be a skilled and resourceful attacker who's salary comes from the taxpayer of the respective country his security service employer resides within?
Mobile apps that generate on-screen tokens for two-factor authentication can be examined and cloned by malware, a security researcher warns. Fraudsters and crooks can take these clones and generate the codes necessary to login into bank accounts and other online services as their victims. Banks are increasingly relying on …
I've always feared this could happen once your tokens start living in a device that can potentially have its entire contents dumped. By the way, some entities that shall remain unnamed do indeed activate PIN mode, but they restrict said PIN to a 4-digit code. This, coupled with the "parity" check means that you can quickly narrow down to a few possible PIN candidates and just try those ones until you hit the right one.
And that's assuming they didn't nab your PIN as well by pulling off those nifty phishing app tricks.
I'll keep my physical tokens, thank you very much.