Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.” reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it.

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.