UK’s Metro Bank hit by SS7 attack
UK-based Metro Bank has suffered an SS7 attack as the financial world can’t escape the attention of criminals.
No fun from Signaling System No 7
According to Motherboard, Metro Bank confirmed to the publication it had faced such an assault.
Hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world.
Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.
With cybercrime gangs very prevalent, and getting predatory around banks, it seems they are using this technique to try and empty bank accounts.
Credit has to go to Motherboard for this discovery and research. At the time of writing, Metro Bank has issued no statement on its website or on its Twitter accounts.
The National Cyber Security Centre (NCSC) also confirmed this latest issue.
“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA),” the NCSC tells Motherboard in a statement.
The bank adds: “Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result.”
If you want more info on how SS7 works, Motherboard explains that in the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password.
Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message.
With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code.
The Metro Bank incident seems to be the first publicly reported case of a UK bank falling victim to an SS7 attack.
It’s not been a good time for the bank recently.
Last month, it had the misfortune to see a third of its share price wiped out as its profit fell short of expectations.
The fall was due to a massive blunder in how it classifies its loan book. This mistake wiped £600 million off its value.
Initially it said it found the accounting error, but then admitted it was the Prudential Regulatory Authority who had made the discovery.
