“A new feature in iOS 12 makes it easier for you to handle two-factor authentication (2FA) requests,” Don Reisinger writes for Tom’s Guide. “But the process has provoked the ire of one security researcher who says it could cause real security problems, at least for some European online-banking customers.”
“In iOS 12, already available for beta testing, there’s a new Security Code AutoFill feature. When you receive a one-time passcode (OTP) sent to your phone via SMS for two-factor authentication purposes, the Security Code AutoFill automatically retrieves the number and gives you the option, above the keyboard, to simply tap on the code to populate the required field. A note above the number will say ‘From Messages’ to let you know from which app the number was retrieved,” Reisinger writes. “The idea is to make it easier for you to log into 2FA-enabled accounts and services. Ostensibly, if Apple sends a one-time code to your phone and you see it come in, you won’t need to jump between apps to get the code and log in.”
“This makes sense within an American context,” Reisinger writes, “but it may be dangerous in Europe, where many online banks, especially in German-speaking countries, use an additional security feature.”
Read more in the full article here.
MacDailyNews Take: Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Center and a doctoral candidate at University College London, is right to be worried that Security Code AutoFill might not be able to tell the difference between a one-time passcode required to log into an account and a Transaction Authentication Numbers (TAN) required to perform a transaction. Apple should make a clear disctinction.
Read more about this issue via 9to5Mac here.
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service. — Andreas Gutmann
Read “New iOS 12 Feature Risks Exposing Users to Online Banking Fraud” here.