Security researcher has a big problem with Apple’s iOS 12

“A new feature in iOS 12 makes it easier for you to handle two-factor authentication (2FA) requests,” Don Reisinger writes for Tom’s Guide. “But the process has provoked the ire of one security researcher who says it could cause real security problems, at least for some European online-banking customers.”

“In iOS 12, already available for beta testing, there’s a new Security Code AutoFill feature. When you receive a one-time passcode (OTP) sent to your phone via SMS for two-factor authentication purposes, the Security Code AutoFill automatically retrieves the number and gives you the option, above the keyboard, to simply tap on the code to populate the required field. A note above the number will say ‘From Messages’ to let you know from which app the number was retrieved,” Reisinger writes. “The idea is to make it easier for you to log into 2FA-enabled accounts and services. Ostensibly, if Apple sends a one-time code to your phone and you see it come in, you won’t need to jump between apps to get the code and log in.”

“This makes sense within an American context,” Reisinger writes, “but it may be dangerous in Europe, where many online banks, especially in German-speaking countries, use an additional security feature.”

Read more in the full article here.

MacDailyNews Take: Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Center and a doctoral candidate at University College London, is right to be worried that Security Code AutoFill might not be able to tell the difference between a one-time passcode required to log into an account and a Transaction Authentication Numbers (TAN) required to perform a transaction. Apple should make a clear disctinction.

Read more about this issue via 9to5Mac here.

Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.

The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service. — Andreas Gutmann

Read “New iOS 12 Feature Risks Exposing Users to Online Banking Fraud” here.


  1. So if I understand correctly, with Two factor, the new feature will work great and speed the process.

    But with TAN it may not work properly and you would have to open the message retrieve the required information, the same as you are required to now, so no shortcut.

    What’s bad here? So Apple is bad because they are making one scenario better, just not the other (yet?)?

    Yes, Apple should work on all scenarios to make them better, but really, Spoiled much?

    1. It sounds like you don’t understand correctly – see Oliver’s response below.
      Basically, after a quick read of the article, the point of TAN codes is you need to see the actual message. It sounds like just being offered the TAN would mean you might not notice that, while you were trying to do a transaction to send $50 to grandma, someone attacking your account was trying to do a transaction that sent $5000 to an account in the Cayman Islands (not yours, presumably). So, with iOS 12, it would say “Hey – just got this thing that looks like a code – want to enter it?” and you might accept, since you aren’t being shown the $5000-to-a-stranger part of the message.
      Boom – you just lost $5000.

  2. No, the problem is that it doesn’t make a distinction between a user login or a TAN number. With TAN numbers especially, this feature could pose a security risk. They are meant to be checked, rather than copied automatically.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.