Share:

Researcher Shares Security Concerns Over Security Code Auto-Fill in iOS 12

Share:

Apple has introduced a new Security Code AutoFill feature in iOS 12, primarily aimed at improving the usability of two-factor authentication. However, security researcher Andreas Gutmann at OneSpan’s Cambridge Innovation Centre has detailed potential fraud concerns with the new feature in a recent article (via 9to5Mac).

SecurityCodeAutoFillDemo

Gutmann says the feature could expose users to online banking fraud “by removing the human validation aspect of the transaction signing/authentication process”.

He explains that human validation is an important aspect of two-factor authentication and that without it, users are more susceptible to “man-in-the-middle, phishing, or other social engineering attacks”.

Here’s an excerpt from the lengthy article:

“Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.

The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective.”

To read the article in full, hit up this link.

Share: