Researcher expresses concerns over iOS 12’s new security code auto-fill feature

With iOS 12 and macOS Mojave, Apple has introduced a new security code auto-fill feature that makes managing two-factor authentication codes sent via SMS easier to manage.

A security researcher, however, has published a new piece detailing some potential fraud concerns with the feature.

In our initial coverage of the feature, we noted that SMS two-factor isn’t the most secure form of two-factor authentication.

Now, Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre, dives deeper into the security concerns that come with Apple’s new auto-fill feature.

Security Code AutoFill is a new feature for iPhones in iOS 12.

It is supposed to improve the usability of two-factor authentication but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.

The human validation process, Gutmann explains, is an important aspect of two-factor authentication.

Without it, a user could be more susceptible to “man-in-the-middle, phishing, or other social engineering attacks.”

Gutmann goes on to write that the feature could spell trouble for transaction authentication in relation to banking:

Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user.

It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.

The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective.

Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.