How a Security Code AutoFill Exposes Users to Online Banking Fraud

Despite various attempts to make its use easier, two-step verification – often referred to as two-factor authentication or 2FA – isn’t as widespread as it should be because it is a hassle to memorize and introduce them into the required fields. Also, SMS-based authentication services have their security flaws, to such a point that the National Institute of Standards and Technology (NIST) has deprecated SMS 2FA.

How security code autofill works

Along with other features, Security Code AutoFill works without any input from app developers or from users of iOS 12 and macOS Mojave. It is worth noting that this feature is limited to the system’s default keyboard. In order to remove the hassle of memorizing the four- to six-digit passcode, the system scans text messages received by the user, looking for words such as “code” or “passcode” in proximity to the actual code string.

The system will look in the iPhone’s Messages app, the default for text messaging, for these keywords. If it identifies a passcode, then the string appears in the QuickType bar so that the user needs only to tap on it to have the code inserted into the required field.

From a security researcher’s perspective, this new feature creates a security risk surrounding the use of SMS in transaction authentication.

How security code autofill creates a security risk

As you may already know, it’s not just authentication services but financial institutions that use SMS messages as a means of communication. Despite its security flaws, SMS is still used by banks to transmit information such as Transaction Authorization Numbers (TANs) to registered phone numbers.

This is where the Security Code AutoFill feature could become a security risk. In an article posted by Information Security researchers at University College London, Andreas Gutmann draws attention to a possible attack scenario involving this feature that ultimately prevents the user from reading the notification message received from the bank about a transaction.

TANs are part of an SMS message from the financial institution informing the user about the status of an online payment. Before Security Code AutoFill kicked in, this text message required the user to verify its content and take the necessary steps if didn’t match up with their intentions.

Gutmann sees Security Code AutoFill as a potential security risk because the user no longer needs to verify the text message’s content. Instead, they just need to tap on the code that appears in the QuickType bar and autofill will do the rest.

The problem isn’t as huge as it seems

While we do partly agree with Gutmann’s point, it is worth adding that for the feature to work flawlessly, developers need to specifically inform iOS about the existence of a one-time passcode by “tagging” the right field so that the system can recognize the passcode in the text message sent to the user.

As a result, while it could potentially represent a security risk, the problem isn’t so dire. The feature paves the way for widespread adoption of two-factor authentication, ultimately lowering the security risks that online accounts are exposed to with just a single layer of protection.Of course, this feature does have its limitations. It only works with SMS messages so if you are using Google Authenticator or any other third-party software token, then you won’t get the automated autofill. The best solution in this case is a password management app such as 1Password, as it includes one-time passcode integration so that all you need to do is enable it. And, as it happens, software tokens are more secure than SMS messages.