iOS 12 verification code autofill is convenient, but is it secure?

One of the new features of iOS 12, which will be officially released in the fall, is the ability to recognize verification codes in text messages and automatically fill them in. This feature greatly facilitates users, but security expert Andreas Gutmann recently pointed out that such an automatic filling function may pose a security risk, and reminded banks and program developers to pay attention to strengthening prevention.

At the Worldwide Developers Conference (WWDC 2018) in June this year, Apple announced a new feature of iOS 12: Auto Fill, which aims to provide users with a seamless registration process experience by automatically reading verification codes in text messages, saving the trouble of manually entering forms in apps such as Safari.

At present, most online transactions and online access use two-factor authentication (2FA), so automatic filling of verification codes is undoubtedly convenient for users. In addition, if your Mac has also installed the latest Mojave beta system, the SMS verification code will also be transmitted to the Mac through the "Handoff function".

Two-factor authentication, commonly known as two-step verification, is an essential element of many security systems. In most cases, 2FA provides extended security by checking whether the user has access to a mobile device. For example, in SMS-based 2FA, the user sends his or her mobile phone number to a service system, and the service sends a one-time password (OTP), also known as a verification code, to the registered phone number to verify the user's legitimacy. The user receives this code and is able to enter it during the login process, while the impersonator cannot access the code.

The new feature of iOS 12 only requires users to click once when receiving the verification code SMS, and the verification code will be automatically entered, which will speed up the login process and reduce errors. Security experts affirm that Apple's approach is a major improvement in the usability of 2FA, and it can also increase the adoption rate of 2FA by iPhone users. However, experts also warn that the automatic filling function of verification codes in iOS 12 may give rise to the risks of fraud, phishing attacks, etc.

The dynamic verification code itself is an important tool for defending against complex attacks. The key is that the user must receive it and actively enter the verification code manually within the valid time. Auto-fill directly removes the manual part, which is convenient for users, but it also offsets the security advantages of transaction signatures and transaction verification numbers (TANs).

The auto-fill feature of iOS 12 is based on triggered message detection. For example, when a word (field) like "verification code" or "password" is detected, the corresponding field will be extracted for filling.

Malicious websites or malware may also extract verification codes through such means and conduct online banking fraud. Users who access online banking through the Safari browser on a MacBook may be subject to man-in-the-middle attacks.

Security experts suggest that banks should be wary of the new CAPTCHA auto-fill feature:

1. Educate customers on the importance of reading the verification text message and details carefully, especially those who receive the verification text message on their iPhone (many people just glance at it casually, only paying attention to the verification code and not the content of the text message).
2. Banks can try to avoid activating autofill for specific fields (which can be tracked).
3. Employ more advanced authentication technologies such as biometrics (fingerprint, facial recognition, etc.) and push notifications for high-risk transactions.
4. For security reasons, app developers can protect themselves from attacks by using auto-fill blocking and RASP (Rapply Self-Protection) technologies.