The new Security Code AutoFill feature suggests OTP by reading the latest text message. A researcher says that the un-involvement of the user can lead to possible security vulnerabilities via social engineering attacks.
It’s clear that Apple’s focus was on performance while announcing its latest iOS 12 OS at WWDC 2018. However, the company also demoed some other features, which are aimed at easing everyday tasks like entering OTP for a two-step verification process. Now, a researcher at OneSpan’s Cambridge Innovation Centre, Andreas Gutmann has expressed concerns on how the said feature can be used to expose users to online banking fraud. Gutmann says that removing the human validation aspect of reading the OTP and entering it manually could create risks for users. The Two Factor Authentication (2FA) feature sends a unique code every time the user tries to log into their account.
Gutmann says that the new feature in iOS12, which makes this process easier for users, may negate the security benefits of “transaction signing and Transaction Authentication Numbers (TANs).” The transaction signing and TANs, are used to defend against social engineering and other similar cybersecurity attacks. Removing the user’s involvement in the 2FA process, who verifies the sent passcode information, can lead to increased risk in online security. Gutmann adds, “Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.”
As an example of this, someone can trick the user into transferring money to a different account than the one intended. This can be done with the help of social engineering techniques like phishing and vishing, and/or tools such as Man-in-the-Browser malware. You can read more about it in detail here.