The problem is that the same hacking script can first request a form page and read the correct FTAN from the returned data. Next it uses the valid FTAN for his hacking attempt.
Thats not entirely true .
- As those static token(TAN/FTAN) tend to have a timeout (normally about 1/2 hour) the attack needs to be run pretty close after the last logged action. Plus the guy has to klick at your malicious link whithin this time.
- A token normally is based on username or session id so its impossible to get that token in advance as you need to be logged in whith the right username. So at least you have to trick the user into doing something silly twice.
- Its pretty easy to add the url(or maybe a formname) to the generation process of your token that way one token will only be valid for just one form
Static tokens are not completely insecure and its pretty hard to exploit em whith an automated script but if you aim to hack a speciffic site its still an relatively easy to exploit option.
Multiple browser is no issue. They will have different sessions. The whole problem is session related.
Most(all i know) secure session scripts only only allow accessing the site only from one browser at a time.
That way attackers that somehow capture the session cookie they still have to get the exact browser fingerprint . (and there is only one chace to guess as session is logged off if there is a security breach)
So its impossible to access a site from 2 browsers that same time as every time you change your browser you get logged off.
Some scripts even add an additional cookie based token that changes on every action. So if you change your Browser you get logged off again.
Disabling is easy (just let the functions always return true )but its no solution . Its so incredibly easy to exploit those security holes thats its almost like a miracle noone already wrote an exploit.