With the new iOS 12, Apple introduced a new range of features that help boost the performance and the experience on the iPhone. One of the key features introduced with iOS 12 is the security code auto-fill feature that is said to make the two-factor authentication easy by the automatically entering the OTP received via an SMS. However, a new report shows that the feature, instead of improving security, makes users more susceptible to online banking fraud.
Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre notes that the human validation is an important aspect of the two-factor authentication. It is what adds the security benefit. However, iOS 12’s feature takes away exactly that from the entire process.
The report suggest this to be a big probelm for transaction authentication. These are aimed at getting the correctness of the intention of an action, rather than the identity of a user. It is most widely used in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
Watch: Apple iOS 12 features
Gutmann notes that this could expose users to online banking frauds as these kinds of transaction authentication are generally used for banking. For example, it will be possible for someone to trick user into transferring money to a different account. Threats also include man-in-the-middle, phishing, social engineering attacks through phishing tools such as Man-in-the-Browser malware.