One of the smaller additions in Apple’s upcoming iOS 12 update is a clever little that makes called Security Code AutoFill.
Basically, it’s a system that makes inputting two-factor authentication codes when logging in a whole lot easier.
But for as much good as it does, one security researcher sees Security Code AutoFill as a potential vulnerability that could be taken advantage of by malicious attackers.
Here’s why you need to know.
Security Code AutoFill iOS 12
Logging into an account with two-factor authentication typically involves two separate steps — hence the name.
You’ll input your username and password, and then receive an SMS text message with a one-time-use code. Once you type that code in, you’re free to log in.
But iOS 12 handles this a bit different. It can automatically detect when you receive a two-factor authentication code (also known as a one-time passcode or OTP).
- iOS 12 Security Features
- What is Strong Password? Why is My iPhone Choosing Passwords for me ?
- Top 25 iOS 12 Features That Are Worth Your Time
The system will then log that name and give you the option of inputting it with a single click. In iOS 12, it’ll appear as an option above the keyboard with a note stating that it’s “From Messages.”
Of course, this can save quite a bit of time as it keeps you from having to jump between apps or memorize the OTP in a flash.
But the ease of use is also why it could be a security risk in certain circumstances.
What the Risk Is
Primarily, the risk lies with financial institutions. Though there are likely other cases when Security Code AutoFill could be risky, this is the most worrying scenario.
Andreas Gutmann, a security researcher at OneSpan’s Cambridge Innovation Center, says that the most pressing problem centers on something called a transaction authentication number (TAN).
What’s a TAN?
Like two-factor authentication, a TAN is a one-time code that’s sent to your phone. But a TAN isn’t for logging in — instead, it’s a way of adding 2FA protection to financial transactions.
Basically, when you transfer money or make a payment, a bank will send a TAN to your phone as an extra verification step to ensure no tomfoolery is going on.
You input this TAN into an appropriate field and the transaction is approved on your end. If you receive a TAN but you didn’t make any recent transactions, you’re supposed to contact your bank immediately.
While not widespread in the U.S. quite yet, TAN-protected transactions are fairly common throughout Europe and other regions.
The Risk with Security Code AutoFill
Since Security Code AutoFill automatically pulls a one-time passcode from messages, it leaves out all of the relevant context.
For banking, that context — like financial amount or payment destination — is critical to knowing whether a transaction is legitimate.
“The fact that a user verifies this salient information is precisely what provides the security benefit,” Gutmann wrote in a blog post. “Removing that from the process renders it ineffective.”
In other words, Apple’s time-saving new feature could potentially make users more vulnerable to financial fraud or man-in-the-middle attacks.
A user, theoretically, could automatically input an OTP to approve a fraudulent financial transaction. An attacker could potentially spoof a Security Code AutoFill using a malicious website or app.
Can Apple Do Anything About It?
The main thing Apple could do is implement some type of measure into Security Code AutoFill that can tell the difference between a 2FA request and a TAN.
It’s not currently clear if Security Code AutoFill can distinguish between 2FA and TAN. If it can, then this issue becomes much less of a problem.
Of course, if enough people express concern about Security Code AutoFill being a vulnerability, Apple could update it to mitigate the problem.
How to Protect Yourself
First of all, you should not disable two-factor authentication on any of your accounts.
While SMS-based two-factor authentication is a relatively flawed system that’s prone to interception or attacks, it’s a lot better than just relying on a password.
If you’re in Europe, the best thing you can do is to double-check every single OTP or 2FA you receive. It only takes a couple seconds to flip over to Messages and verify the contextual information.
That’s especially true if you can’t readily distinguish between a TAN and a 2FA passcode without checking the original SMS text message.
If you aren’t in a country that uses TAN, it’s probably still smart to verify suspicious OTPs that are sent to your device. If you’re not actively logging in and you receive an OTP text message, then something is probably amiss.
Furthermore, be on the lookout for TAN systems to be implemented more broadly in U.S. banks. Europe has, in recent times, lead the charge when it comes to privacy and security standards. It’s likely that TAN could be adopted by U.S. banks and financial institutions in the near future.
You should also use security best practices in general when dealing with financial data or login information. Even the best password and 2FA security can’t protect you from social engineering.