iOS 12 Security: Why OTP Autofill is a Fraudster’s Best Friend

Jul. 19, 2018 | by Uri Rivner

Last month Apple revealed a cool feature in iOS 12 security: the device will scan incoming SMS messages for One Time Codes, used for 2FA, and then suggest those codes as an auto-fill function when relevant.

It’s a great friction reduction capability: instead of receiving the text message, memorizing the 6-digit one time code, going to the other app and filling it in, hoping the number entered is indeed the correct one, the entire process will be semi-automated and the user will just need to submit the pre filled code.

UX improvements often open up new security issues. Is there a way fraudsters can quickly utilize the new feature?

Quite a few, actually.

User Expectation = Fraudster Delight

Many banks send an alert that cautions the user to check that they’re sending money to a specific destination account, asking the user to enter the one-time-code only after they verify the transaction details. Fraudsters have multiple ways to circumvent this control: from SIM swaps to phone number change requests to simple social engineering.

But now their work will be a bit easier: since SMS based OTP is so ubiquitous, users will quickly get used to the new method of auto-filling the code, and won’t bother reading the original messages, thus completely missing the fact their account is emptied and money goes to an unknown destination.

Social engineering attacks such as Vishing will be made easier, as any warnings the bank will issue using SMS, the most useful medium of contacting a user about to empty their own accounts, will similarly be ignored by users who will get comfortable with the new UX and expect bank-induced messages to automatically convert into fast access with no need to actually look at the message.

Remote Access (RAT) attacks will also benefit from this. A fraudster that convinces the user to install remote access apps will be able to open the targeted application, initiate a transfer from the victim’s device, and the authorization OTP that the bank will send will be automatically populated in milliseconds. The fraudster won’t even need to type it to approve the transaction, giving the user no time to spot any foul play.

OTPs are the most prevalent PSD2 controls. Even before this change, relying on strong authentication was a risky business: fraud tripled between 2007 to 2010 in UK despite a 100% adoption of strong authentication controls, and jumped to about x8 the original level after advanced malware, RATs and social engineering methods got honed. 100% of online banking fraud in the UK is strongly authenticated. This new feature will not generate a whole new attack surface, but can further erode the reliability of OTPs.

It doesn’t mean all gloom and doom. Changes that favor user experience and choice are always prioritized high – from Faster Payments to OpenAPI to the move into sleek mobile UI; and the industry does develop effective defenses that can offset the weaknesses in strong authentication and allow better usability without compromising security. Still, it’s important to know what’s coming. Fraudsters will really like this new capability, and we just need to be ready for it.

Topics: Fraud, Cybersecurity