Andreas Gutmann and Steven J. Murdoch, OneSpan Cambridge Innovation Centre & University College London
Security Code AutoFill is a new convenience feature integrated into iOS 12 and macOS 10.14, which aims to ease the use of security codes sent via SMS. We report on the first security evaluation of this feature, inspecting its interaction with different types of service and security technologies that send security codes via SMS for authentication and authorisation purposes. We found security risks resulting from the feature hiding salient context information about the SMS message while still relying on users to make security-cautious decisions. Our findings show that adversaries could exploit this decontextualisation. We describe three attack scenarios in which an adversary could leverage this feature to gain unauthorised access to users' online accounts, impersonating them through their instant messengers, and defraud them during online card payments. We discuss the results and suggest possible measures for affected online services to reduce the attack surface by altering the phrasing of their SMS or using alphanumeric security codes. In addition, we explore the design space of Security Code AutoFill and sketch two alternative prototype designs which aim at retaining the improved convenience while empowering users and online services to safeguard their interactions.
@inproceedings{gutmann-19-autofill,
author = {Gutmann, Andreas and Murdoch, Steven J.},
title = {{Taken Out of Context: Security Risks with Security Code AutoFill in iOS \& macOS}},
booktitle = {Who Are You?! Adventures in Authentication Workshop},
year = {2019},
series = {WAY~'19},
pages = {1--6},
address = {Santa Clara, California, USA},
month = aug,
publisher = {}
} % No publisher