UCL  IRIS
Institutional Research Information Service
UCL Logo
Please report any queries concerning the funding data grouped in the sections named "Externally Awarded" or "Internally Disbursed" (shown on the profile page) to your Research Finance Administrator. Your can find your Research Finance Administrator at https://www.ucl.ac.uk/finance/research/rs-contacts.php by entering your department
Please report any queries concerning the student data shown on the profile page to:

Email: portico-services@ucl.ac.uk

Help Desk: http://www.ucl.ac.uk/ras/portico/helpdesk
Publication Detail
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS
  • Publication Type:
    Conference
  • Authors:
    Gutmann A, Murdoch SJ
  • Publisher:
    USENIX
  • Publication date:
    30/06/2019
  • Name of conference:
    Who Are You?! Adventures in Authentication Workshop (WAY)
  • Conference place:
    Santa Clara, CA 95054, USA
  • Conference start date:
    11/08/2019
  • Conference finish date:
    11/08/2019
  • Publisher URL:
Abstract
Security Code AutoFill is a new convenience feature integrated into iOS 12 and macOS 10.14, which aims to ease the use of security codes sent via SMS. We report on the first security evaluation of this feature, inspecting its interaction with different types of service and security technologies that send security codes via SMS for authentication and authorisation purposes. We found security risks resulting from the feature hiding salient context information about the SMS message while still relying on users to make security-cautious decisions. Our findings show that adversaries could exploit this decontextualisation. We describe three attack scenarios in which an adversary could leverage this feature to gain unauthorised access to users’ online accounts, impersonating them through their instant messengers, and defraud them during online card payments. We discuss the results and suggest possible measures for affected online services to reduce the attack surface by altering the phrasing of their SMS or using alphanumeric security codes. In addition, we explore the design space of Security Code AutoFill and sketch two alternative prototype designs which aim at retaining the improved convenience while empowering users and online services to safeguard their interactions.
Publication data is maintained in RPS. Visit https://rps.ucl.ac.uk
 More search options
UCL Researchers
Author
Dept of Computer Science
University College London - Gower Street - London - WC1E 6BT Tel:+44 (0)20 7679 2000

© UCL 1999–2011

Search by