iOS 12 Security Code AutoFill feature put user at risk

Apple introduced some enhanced security features in iOS 12, the “Security Code AutoFill” feature exposes users to the considerable danger of bank fraud. At the WWDC 2018 in June this year, Apple announced this new feature. It is designed to save users the hassle of manually entering forms in applications such as Safari by automatically reading the verification code in the SMS, giving users a seamless registration process experience.

At first glance, this is a feature that can significantly improve usability, but security expert Andreas Gutmann warns:

“In the case of the upcoming Security Code AutoFill feature in iOS 12, while making SMS-based 2FA more convenient for users, it may negate the security benefits of transaction signing and Transaction Authentication Numbers (TANs).”

Image: Apple

In other words, the security system that banks use for authentication and signing transactions may fail in the face of technical attacks such as malicious websites and Man-in-the-Middle techniques:

“The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.“

Examples of security risks that security code auto-filling brings to online banking include:

“Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.”