When iOS 12 and macOS Mojave ship later this year, both operating systems will automatically detect these codes in incoming messages, pre-populating the required fields inside apps and web sites in order to prevent users from having to do it manually.
While this feature is likely to be very well received by users, one security research is urging caution, suggesting this may open some users up to fraud. Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre has taken a deep look at the new system that Apple is putting in place in order to autofill codes, and he has some concerns.
Security Code AutoFill is a new feature for iPhones in iOS 12. It is supposed to improve the usability of two-factor authentication, but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.
Gutmann’s concern is that without the human factor, it is possible that people may become more susceptible to man-in-the-middle attacks or phishing because they will not be looking at the message that was received. Gutmann also suggests that the new feature could prove problematic when it comes to transaction authentication as far as banking uses are concerned.
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.
Both iOS 12 and macOS Mojave are currently in relatively early beta form and are both likely to ship at some point in September so there is plenty of time for this to be looked into.