Home Products Firmwares Tutorials News Forum
3uTools for Windows/macOS
Windows macOS Detail
3uTools for iOS
Download Detail
NEWS
Researcher Expresses Concerns Over iOS 12’s New Security Code Auto-fill Feature
3498
2018-07-04
Posted by 3uTools

Update: Will Strafach has some doubts about Gutmann’s thoughts:


With iOS 12 and macOS Mojave, Apple has introduced a new security code auto-fill feature that makes managing two-factor authentication codes sent via SMS easier to manage. A security researcher, however, has published a new piece detailing some potential fraud concerns with the feature..


In our initial coverage of the feature, we noted that SMS two-factor isn’t the most secure form of two-factor authentication. Now, Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre, dives deeper into the security concerns that come with Apple’s new auto-fill feature.


Security Code AutoFill is a new feature for iPhones in iOS 12. It is supposed to improve the usability of two-factor authentication, but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.


Researcher Expresses Concerns Over iOS 12’s New Security Code Auto-fill Feature


The human validation process, Gutmann explains, is an important aspect of two-factor authentication. Without it, a user could be more susceptible to “man-in-the-middle, phishing, or other social engineering attacks.”


Gutmann goes on to write that the feature could spell trouble for transaction authentication in relation to banking:


Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.


The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.


Source: 9to5mac

Related Articles
iOS 12 Beta 5 Further Hints at Dual-SIM Support Apple Promoting New Features Coming in iOS 12 to all iOS Users with Tips App 6 iOS 12 Features Apple has Borrowed from Android Apple's iPhone Addiction Tools are Like Casinos Warning About Gambling, Says App Maker iOS 12 Adds Multi-user Face ID With Support for up to Two Faces iOS 12 Will Reportedly Enable iPhones to Become Secure Hotel Room Keys Here’s How iOS 12’s New Security Code Auto-fill Feature Works​
Connect with us
About Us Legal Statement Disclaimer
© 2010 - 2023 3uTools. All Rights Reserved.
3uTools can manage files, download apps / wallpapers / ringtones, flash, jailbreak
An All-in-one Tool for iOS Devices