Criminals hit Metro Bank with multi-factor authentication bypass SS7 attack

News by Rene Millman

UK bank latest to fall victim to weakness in the SS7 telecoms protocol which is being increasingly exploited by criminals to defeat multi-factor authentication systems.

Metro Bank Borehamwood (Pic: Philafrenzy/Wikimedia)

UK-based Metro Bank has reportedly fallen victim to a 2FA bypass attack after cyber-criminals were able to compromise a known flaw in the SS7 protocol.

According to a report by Motherboard, hackers exploited the vulnerability in the SS7 protocol to beat the two-factor authentication (2FA) system used by Metro Bank to protect customers.

The attack mechanism for this is complicated and once thought of as rare. However, the National Cyber Security Centre (NCSC) said that attacks using the flaw are rapidly increasing.

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as two-factor authentication," it said in a statement to the publication.

Signalling System No. 7 (SS7) was developed in 1975 to perform essential operations on the public switched telephone network (PSTN). Among those are operations associated with transmitting Short Message Service (SMS) messages which are today often used in 2FA systems.

A tool called SnoopSnitch, developed by Karsten Nohl and available on the Google Play store, can reportedly warn users about certain SS7 attacks against their devices.

Metro Bank confirmed to Motherboard that it had been attacked.

"At Metro Bank we take our customers' security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud.

"We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue," a Metro Bank spokesperson said.

SC Media UK has approached Metro Bank for further comment.

Michael Downs, telecoms cyber-security director of EMEA at Positive Technologies, told SC Media UK that the weakness in SS7 can not only be used for SMS interception – as is the case here with Metro Bank – but also to steal user's personal data, location tracking through their phones, signalling fraud and also hijacking devices to orchestrate denial of service attacks.

"SMS interception is just one of the easiest ways to exploit these flaws – our own research on telecoms infrastructure has found that nine out of ten attempted SMS interception attacks are successful," he said.

"What is even more worrying is that, despite the fact that operators have spent billions on upgrading networks, our research shows that the same vulnerabilities exist. The risk of attacks and consequences will only grow as the world moves to be more and more connected with Internet of Things a primary driver. What this attack shows is that a security issue within the telecoms industry isn't just a problem for the telecoms industry – it effects every company and device that relies on the network – which is pretty much everyone."

Jon Bottarini, lead technical program manager at HackerOne, told SC that whether criminals use man-in-the-middle Signaling System 7 (SS7) attacks or engage in SIM card swapping, it just goes to show that relying on an SMS-based method of two-factor authentication is not the best secure way to protect your most sensitive accounts.

"Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks," he said.

As reported by SC, the SS7 flaw has been demonstrated by security researchers to defeat encryption in messaging systems such as WhatsApp and Telegram.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews