Pages

Apple is Changing the Format of its SMS Auto-Fill Codes ToPrevent Phishing Attacks from Breaking Through

With phishing attacks getting smarter by the day, Apple has decided to fortify its user safety regulations and has changed its two-factor authentication SMS layout to protect it from harm.

Honestly, I’ve been typing the words “cybercriminals are getting smarter” out on a near-weekly basis ever since I started covering information security. It’s astounding to see just how many safety regulations are pulled out and developed by major mega-corporations and tech giants only for a group of computer-savvy individuals in their 20’s or 30’s to shrug and dismantle the operation within seconds. This is the sort of despair I feel whenever my attention is directed to Apple’s Tracking and Transparency features. Features that, despite being hailed as some of the best user-oriented privacy features added to any mainstream tech product in recent times, are still fallible and don’t cover all bases. Tracking and Transparency, the iOS 14 darling, doesn’t cover threats from outside phishing attacks, instead only immunizing a device from applications siphoning off user data. So, what’s the new phishing threat sweeping the nation? It has something to do with two-factor authentication and SMS-sent verification codes.

To think that 2FA, which is often considered to be a very foolproof form of online security maintenance has been trumped is pretty worrying. To have that being done across SMS instead of an online alternative, however, is much worse. So, phishing attacks have managed to start sending out fake links that also require 2FA, which triggers an Apple product to send in actual, real generated codes. Apple devices also have a certain feature that automatically enters 2FA codes into the relevant areas. This algorithm, unable to recognize a phishing link from a real one, sends the codes over to the wrong person. Voila! Your phone is perhaps not yours anymore, so that’s always fun.

Now, Apple is rectifying this security oversight by changing the formatting of code-bearing SMSs. Without going into a lot of technical detail, this new format will essentially note the domain of a website that’s asking for the codes. If the website doesn’t seem reliable, i.e. not having an HTML address, then codes are generated but not autofilled; perhaps customers are of their own volition accessing such a website and shutting them completely out doesn’t fix the problem. On the other hand, neither does leaving the choice completely up to a user; anyone not all-too tech savvy won’t realize that the lack of autofill is a sign from Apple and continue to fill it in themselves without any thought to it.


H/T: MacWorld

Read next: Lax security policy of several apps puts users data at risk

No comments: