14 DAY TRIAL // A new security feature coming to users with the release of iOS 12 could expose Apple customers to bank fraud by skipping the human validation process when authenticating transactions, a security researcher warns.
Apple announced at WWDC in June that iOS 12 would come with a new feature called Security Code AutoFill whose purpose is to automatically read two-factor authentication codes sent via SMS and then input them in forms in Safari to provide a seamless signing-in process for users.
While at first glance this is a feature that substantially improves usability, security expert Andreas Gutmann warns that such an implementation could, in the end, have an impact on transaction signing and Transaction Authentication Numbers (TANs).
2FA to be more widely-used
In other words, security systems used by banks for authentication and signing transactions could be rendered ineffective with attack methods like malicious websites and Man-in-the-Middle techniques.
“The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service,” Gutmann notes.
The manual verification step which requires user interaction, is a must-have to make sure that cyber-criminals to do not manage to bypass security features implemented by banks.
The good side of the new feature coming to users with iOS 12, however, is that Apple encourages customers to enable two-factor authentication, which makes services more secure by requiring a code sent via SMS. On the other hand, bypassing the human validation process, iOS 12’s Security Code AutoFill renders even this feature useless, easily exposing both users and banks, the research concludes.