UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS

Gutmann, A; Murdoch, SJ; (2019) Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS. In: Proceedings of Who Are You?! Adventures in Authentication Workshop (WAY 2019). USENIX: Santa Clara, CA, USA. (In press). Green open access

[img]
Preview
Text
Gutmann_WAY_2019.pdf - Published version

Download (1MB) | Preview

Abstract

Security Code AutoFill is a new convenience feature integrated into iOS 12 and macOS 10.14, which aims to ease the use of security codes sent via SMS. We report on the first security evaluation of this feature, inspecting its interaction with different types of service and security technologies that send security codes via SMS for authentication and authorisation purposes. We found security risks resulting from the feature hiding salient context information about the SMS message while still relying on users to make security-cautious decisions. Our findings show that adversaries could exploit this decontextualisation. We describe three attack scenarios in which an adversary could leverage this feature to gain unauthorised access to users’ online accounts, impersonating them through their instant messengers, and defraud them during online card payments. We discuss the results and suggest possible measures for affected online services to reduce the attack surface by altering the phrasing of their SMS or using alphanumeric security codes. In addition, we explore the design space of Security Code AutoFill and sketch two alternative prototype designs which aim at retaining the improved convenience while empowering users and online services to safeguard their interactions.

Type: Proceedings paper
Title: Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS
Event: Who Are You?! Adventures in Authentication Workshop (WAY 2019)
Location: Santa Clara, CA 95054, USA
Dates: 11 August 2019 - 11 August 2019
Open access status: An open access version is available from UCL Discovery
Publisher version: https://wayworkshop.org/
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
UCL classification: UCL
UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/10076464
Downloads since deposit
68Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item