fbpx
News

Your iPhone will no longer suggest 2FA autofill if you’re on a phishing site

With the new format, your iPhone will only offer AutoFill suggestions if the domain in the message and the domain of the website you're on match

Apple is urging companies to send two-factor messages in a new, more secure format in a bid to curb phishing attacks, as first reported by 9to5mac.

Apple’s code-AutoFill feature makes it so that if a website or an app sends a two-factor authentication code via message, it will appear automatically as an AutoFill suggestion, something that scammers have reportedly started taking advantage of.

This is how it works:

  • A scammer tricks you into clicking on a fraudulent Twitter link, for example.
  • You type in your login credentials and submit them.
  • The scammer uses the same credentials on the legitimate Twitter website.
  • The scammer is then prompted to enter the two-factor authentication code.
  • You receive the code, and it is displayed in the AutoFill suggestion tab. You enter the code on the phishing (fake Twitter) website.
  • The scammer uses the 2FA code obtained through the phishing site and enters it on the legitimate Twitter website to gain access to your account.
  • This is where a new and more secure format of sending codes comes in.

With the new format, your iPhone will only offer AutoFill suggestions if the domain in the message and the domain of the website you’re on match. For example, let’s say you’re trying to log into a website that claims to be Twitter.com, but in reality, it’s a phishing link that reads Twitter.login.info.com, your device won’t offer you an autofill suggestion.

The new format, in comparison to the old one, looks something like this:

Image credit: Macworld

While this isn’t a foolproof method to deter scammers and phishing attacks, as it relies on the user noticing that the authentication code isn’t auto-filling like it usually would on legitimate websites, it is still a good step forward. However, dedicated authentication apps like Google Authenticator, Microsoft Authenticator and Authy should serve you better.

Image credit: Shutterstock

Source: 9to5Mac

Related Articles

Comments