Metro Bank Falls Victim to SS7 Two-Factor Attack

Motherboard have reported how the UK’s Metro Bank has fell victim to a two-factor authentication (2FA) attack that exploits the legacy Signalling System 7 (SS7) protocol, to intercept 2FA codes.

The SS7 protocol was originally developed in 1975, and in 1980 the ITU formerly approved it as the international standard for telephone signalling, call establishment and routing.

Flaws in SS7 are known to have been exploited for quite some, and successful attacks against the protocol are capable of tracking phones, as well as intercepting calls and text messages.

It has previously been believed that the ability to exploit SS7 has been firmly in the hands of intelligence agencies, but Motherboard confirmed that this is far more wide spread. Cyber criminals are using this to attack bank customers with the aim of clearing out their bank accounts.

Although cases are still pretty rare, these types of attacks are being seen globally, and Metro Bank have confirmed that a small number of their customers have been a victim of such an attack which resulted in financial fraud and stolen funds.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue,” a Metro Bank spokesperson told Motherboard in an email.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers, and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website,”

The fundamental flaw stems from the lack of authentication in SS7, that does not require a sender to prove who they are to successfully send a message. This results in malicious parties being able to reroute messages across the network.

The UKs National Cyber Security Centre are actively working to help secure the SS7 protocol to prevent abuse of the UK mobile telephone networks and tackle SMS spoofing, but the harsh reality is that the telco industry has been ignoring these exploitable gaps in the worlds telecom infrastructure for too long.

That said, these are sophisticated and targeted attacks. A 2FA code on its own is not enough for an attacker to access a victims account, so they must use other methods to first gain access to the customers username and passwords. This is typically achieved using phishing attacks that make use of fake emails and/or websites to capture the user’s information.

As a user or customer your best method of protecting yourself against these threats is to remain vigilant when it comes to fake emails and phishing websites. Never click on email links from people you don’t know or trust and look out for suspicious email and website addresses that don’t match those of your bank.

If you are a Metro Bank customer and feel that you may have been victim of Fraud you can use their website for guidance which includes a link to report your concerns.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe:


Ironshare – Security Simplified