Apple has added a protection mechanism to detect and prevent phishing attacks in the two-factor authentication (2FA) autofill feature. The system receives a code via SMS and automatically fills in the corresponding field to make the user’s life easier, but it was exploited by criminals to gain unauthorized access to accounts.
The change introduced by Apple prevents the copied data from being leaked in a possible phishing attack and should affect users on iOS 15, iPadOS 15 and macOS 11 Big Sur. The creator of the iPhone proposed a change in the content of text messages with codes that come to phones last year just for that. See the difference:
- New: Your Apple ID Code is: 123456. Do not share with anyone. @apple.com #123456 %apple.com
- Old one: Your Apple ID Code is: 123456. Do not share with anyone.
In Apple’s messaging model, the SMS needs to contain the correct website domain, repeating code, and an embedded HTML element. In this way, the protection system scans these three items to decide whether to fill in the field. When there is no match, the mechanism blocks automation and leaves the decision to enter the code up to the user.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
Be careful when typing codes on websites
While it’s not a definitive solution to stopping phishing, the idea may thwart some less sophisticated attempts. For the proposal to work fully, websites will need to adopt this new SMS format suggested by the Cupertino giant, which is still uncertain.
The recommendation, whether on iOS or Android, is to always opt for the option of using two-factor authentication through a code generator, instead of SMS. There are several applications, such as Google Authenticator, that provide more security than text messages. If you’re already on iOS 15, you don’t even need a third-party 2FA app: Keychain is integrated into the system and fully supported.
The two-factor authentication autofill feature has been around for quite some time at Apple. This saves the user from having to open the Messages app, copy the code and paste it into the corresponding location. Apple Keychain has come to the latest iOS version to deliver a more effective solution, but older pages have not yet migrated to random codes, so they still rely on sending SMS with the numeric sequence.
