Researcher Expresses Concerns Over iOS 12’s New Security Code Auto-fill Feature
: Will Strafach has some doubts about Gutmann’s thoughts:
With iOS 12 and macOS Mojave, Apple has introduced a new security code auto-fill feature that makes managing two-factor authentication codes sent via SMS easier to manage. A security researcher, however, has published a new piece detailing some potential fraud concerns with the feature..
In our initial coverage of the feature, we noted that SMS two-factor isn’t the most secure form of two-factor authentication. Now, Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre, dives deeper into the security concerns that come with Apple’s new auto-fill feature.
Security Code AutoFill is a new feature for iPhones in iOS 12. It is supposed to improve the usability of two-factor authentication, but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.
The human validation process, Gutmann explains, is an important aspect of two-factor authentication. Without it, a user could be more susceptible to “man-in-the-middle, phishing, or other social engineering attacks.”
Gutmann goes on to write that the feature could spell trouble for transaction authentication in relation to banking:
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.
- iOS 12 Beta 5 Further Hints at Dual-SIM Support Apple Promoting New Features Coming in iOS 12 to all iOS Users with Tips App 6 iOS 12 Features Apple has Borrowed from Android iOS 12 Adds Multi-user Face ID With Support for up to Two Faces iOS 12 Will Reportedly Enable iPhones to Become Secure Hotel Room Keys Apple's iPhone Addiction Tools are Like Casinos Warning About Gambling, Says App Maker Here’s How iOS 12’s New Security Code Auto-fill Feature Works