Apple has introduced a new Security Code AutoFill feature in iOS 12, primarily aimed at improving the usability of two-factor authentication. However, security researcher Andreas Gutmann at OneSpan’s Cambridge Innovation Centre has detailed potential fraud concerns with the new feature in a recent article (via 9to5Mac).
Gutmann says the feature could expose users to online banking fraud “by removing the human validation aspect of the transaction signing/authentication process”.
He explains that human validation is an important aspect of two-factor authentication and that without it, users are more susceptible to “man-in-the-middle, phishing, or other social engineering attacks”.
Here’s an excerpt from the lengthy article:
“Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective.”
To read the article in full, hit up this link.