BioCatch is raising some red flags over one feature of iOS 12, Apple’s forthcoming operating system update for its mobile devices: In a new post on the BioCatch blog, the company says that the iOS 12 ‘OTP Autofill’ system ‘is a fraudster’s best friend.’
It’s a feature aimed at improving the user experience by automating the one-time password process. When a trusted organization such as bank sends an SMS code to a user, the iOS 12 system will copy and suggest it for autofill wherever the password is meant to be entered.
It may sound harmless enough, but BioCatch’s concern is about end user complacence. The behavioral biometrics specialist warns that as iPhone users get used to the autofill feature, they will stop reading the original messages from the organizations that send the OTPs, missing out on vital information such as an account being empty.
The autofill feature could also make it easier for hackers to perform attacks using remote access Trojans. As BioCatch explains, “A fraudster that convinces the user to install remote access apps will be able to open the targeted application, initiate a transfer from the victim’s device, and the authorization OTP that the bank will send will be automatically populated in milliseconds.”
The picture isn’t entirely bleak, of course. A related security feature on iOS 12 will essentially implement a password manager for Safari, Apple’s web browser, which will store and autofill strong passwords, and tie them to the biometric authentication systems built into Apple’s iPhones. That will make life a little easier for end users, just as the OTP autofill feature will, but those users still need to remain vigilant about security threats themselves, and that means reading messages from their banks and other any other institutions sending them OTP codes.
Source: BioCatch Blog
July 20, 2018 – by Alex Perala