Security researcher Andreas Gutmann, from OneSpan's (formerly VASCO) Cambridge Innovation Centre, highlights fraud vulnerabilities in Apple's new Security Code Autofill feature, announced for iPhones in iOS 12. This vulnerability illustrates the delicate balance -- and tension -- between improving user experiences and protecting customers from fraud. Key extracts of his blog are below with a link to the full text at bottom.
Andreas Gutmann is a researcher at OneSpan’s Cambridge Innovation Centre, working at the intersection of FinTech with usability, security, and privacy. He is a Marie Skłodowska-Curie Actions Fellow of the European Commission and is currently pursuing a PhD at University College London.
Reflections about Online Security: New iOS 12 Feature Risks Exposing Users to Online Banking Fraud
Security Code AutoFill is a new feature for iPhones in iOS 12 announced at the WWDC18 conference. It’s supposed to improve the usability of two-factor authentication, but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.
Improving the SMS-based 2FA User Experience
Two-factor authentication (2FA), which is often referred to as two-step verification, is an essential element of many security systems, especially for online transactions and remote access. In most cases, 2FA provides extended security by checking if the user has access to a mobile device. The legitimate user receives a One Time Password (OTP) code on their phone and is able to enter it during the login process – something an impersonator doesn’t have access to.
Apple announced that they will automate this last step of the 2FA process in iOS 12 to improve user experience. Apple’s new iOS feature requires a single tap from the user to automatically input the security code. This will speed up the login process and reduce errors, a significant improvement to the usability of 2FA. It could also increase adoption of 2FA among iPhone users. However, it may negate the security benefits of transaction signing and Transaction Authentication Numbers (TANs).
iOS 12 Security Code AutoFill Feature Could Expose Banks and Users to Fraud
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks. For example, an adversary can try to trick a victim into transferring money to a different account than the one intended. To achieve this the adversary might use social engineering techniques such as phishing and vishing and/or tools such as Man-in-the-Browser malware.
Transaction authentication is used to defend against these adversaries. In one of the most common methods currently used, the bank will summarize the transaction data, add a TAN created specifically from that data, and send both to the registered phone number via SMS. The user, or bank customer in this case, should verify the summary and, if this summary matches his or her intentions, enter the TAN from the SMS message into the webpage.
How Security Code AutoFill Could Negate the Security Benefits of Transaction Authentication
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.
Considerations for Banking Use Cases
As banks continue to balance customer experience improvements with protecting their institutions and users from fraud, they should be wary about the new Security Code AutoFill feature. We recommend that banks should consider the following when it comes to transaction authentication use cases:
- Continue to educate customers on the importance of carefully validating their transaction details when authenticating a transaction, especially for those receiving TANs on an iPhone
- Avoid activating the Security Code AutoFill feature for fields used to enter TANs for transaction authentication
- Implement more advanced authentication technologies such as biometrics (e.g., fingerprint, face, behavioral), out-of-band technology (non-SMS-based), and/or push notification for higher risk transactions (e.g., fund transfers)
· Protect mobile apps against compromise with app shielding and runtime application self protection (RASP) technology