New iOS 12 Feature Risks Exposing Users to Online Banking Fraud
Security Code AutoFill is a new feature for iPhones in iOS 12. It is supposed to improve the usability of two-factor authentication, but could expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process.
Two-factor authentication (2FA), which is often referred to as two-step verification, is an essential element of many security systems, especially for online transactions and remote access. In most cases, 2FA provides extended security by checking if the user has access to a mobile device. In SMS-based 2FA, for example, a user registers their phone number with an online service. When this service sees a login attempt for the corresponding user account, it sends a One Time Password (OTP), e.g. four to six digits, to the registered phone number. The legitimate user receives this code and is able to enter it during the login process – something an impersonator doesn't have access to.
At the WWDC18 developer conference in June, Apple announced that they will automate this last step of the 2FA process in iOS 12 to improve user experience. The Security Code AutoFill feature, currently available to developers in a beta version, will allow the mobile device to scan incoming SMS messages for such codes and suggest them at the top of the default keyboard.
Description of new Security Code AutoFill feature
Improving the SMS-based 2FA User Experience
Currently, these SMS codes rely on the user actively switching apps and memorizing the code, which can take a couple of seconds. Some users attempt to memorize the code from the preview banner and then enter it. Apple's new iOS feature requires a single tap from the user to automatically input the security code. This will speed up the login process and reduce errors, a significant improvement to the usability of 2FA. It could also increase adoption of 2FA among iPhone users.
Example of Security Code AutoFill feature in operation on iPhone (source: Apple)
In addition, if users synchronise SMS with their MacBook or iMac, the existing Text Message Forwarding feature will also push codes from their iPhone and enable Security Code AutoFill in Safari.
Example of Security Code AutoFill feature synchronised with macOS Mojave (source: Apple)
Reducing friction in user interaction to improve technology adoption by new users, and increase the usability and satisfaction for existing users, is not a new concept. It has been discussed in academia at length, and is also a common goal within industry, e.g. in banking and financial services. This is evident in how the financial and payments industry has encouraged contactless (Near Field Communication or NFC) payments, which makes transactions below a certain threshold much quicker than traditional chip and PIN payments.
iOS 12 Security Code AutoFill Feature Could Expose Banks and Users to Fraud
As architects and designers, especially in computer security, we know that when making changes to one part of a system, we need to evaluate how this affects every other part that it interacts with. In the case of the upcoming Security Code AutoFill feature in iOS 12, while making SMS-based 2FA more convenient for users, it may negate the security benefits of transaction signing and Transaction Authentication Numbers (TANs).
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU's Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks. For example, an adversary can try to trick a victim into transferring money to a different account than the one intended. To achieve this the adversary might use social engineering techniques such as phishing and vishing and/or tools such as Man-in-the-Browser malware.
Transaction authentication is used to defend against these adversaries. Different methods exist but in the one of relevance here – which is among the most common methods currently used – the bank will summarize the transaction data, add a TAN created specifically from that data, and send both to the registered phone number via SMS. The user, or bank customer in this case, should verify the summary and, if this summary matches his or her intentions, enter the TAN from the SMS message into the webpage.
TAN by SMS for online banking
Critics of the SMS-based OTP, whether used for 2FA or transaction authentication, have called it out as insecure. For example, in recent years the National Institute of Standards and Technology (NIST) initially publicly criticized SMS as a communication medium for secure authentication, labelling it as insecure and unsuitable for strong authentication. However more recently, they have softened their language and instead deprecated SMS 2FA. Yet, it's still considered secure enough to be used for Strong Customer Authentication (SCA) under PSD2.
How Security Code AutoFill Could Negate the Security Benefits of Transaction Authentication
This new iOS feature creates problems for the use of SMS in transaction authentication. Applied to 2FA, the user would no longer need to open and read the SMS from which the code has already been conveniently extracted and presented. The code is detected in a message based on heuristics such as proximity to the words 'code' or 'passcode', which are used in messages delivering 2FA codes and TANs alike. Security Code AutoFill on a webpage or in an app is then suggested if the input field is tagged accordingly.
Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the transaction data, e.g. amount and destination of the transaction.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank's legitimate online banking service.
We are excited about the anticipated improved usability of 2FA and hope that it will encourage more iOS users to adopt 2FA. But we can hardly predict the future. SMS-based transaction authentication might well remain an established technology in online banking, with banks holding customers liable if they do not verify the transaction information. Whether it is justified to place the burden on users who behave as encouraged by the technology is both a philosophical and legal question.
Considerations for Banking Use Cases
As banks continue to balance customer experience improvements with protecting their institutions and users from fraud, they should be wary about the new Security Code AutoFill feature. We recommend that banks should consider the following when it comes to transaction authentication use cases:
- Continue to educate customers on the importance of carefully validating their transaction details when authenticating a transaction, especially for those receiving TANs on an iPhone
- Avoid activating the Security Code AutoFill feature for fields used to enter TANs for transaction authentication
- Implement more advanced authentication technologies such as biometrics (e.g., fingerprint, face, behavioral), out-of-band technology (non-SMS-based), and/or push notification for higher risk transactions (e.g., fund transfers)
- Protect mobile apps against compromise with app shielding and runtime application self protection (RASP) technology
For more information about how to secure transaction signing, download this white paper:
This article was first published by Andreas Gutmann on Bentham's Gaze, a blog by Information Security researchers at University College London. Special thanks to Vincent Haupert for his comments on the original article. We've since updated this article with more information about how Secure Code AutoFill could be utilised in an attack, Apple's developer conference WWDC18, and the embedded pictures.