Flaw in SS7 Lets Attackers Empty Bank Accounts

Written by

A UK bank fell victim to a malicious SS7 attack that led to cyber-criminals emptying bank accounts at the UK’s Metro Bank, according to Motherboard.

Though malicious actors have been able to exploit flaws in telecommunication infrastructure for years, it’s not being reported that attacks are able to intercept codes used for banking using Signaling System 7 (SS7) attacks. According to Motherboard, the National Cyber Security Centre (NCSC) said that it is aware that cyber-criminals are exploiting a telecommunications vulnerability to target bank accounts “by intercepting SMS text messages used as 2-Factor Authentication.”

“Legacy communications protocols were often architected with utility in mind, not security,” said Matt Walmsley, EMEA director at Vectra. “We’ve seen old-school fax protocols being recently used to delivery malicious payloads into multifunction printers. Using the telephone infrastructure for illicit activity isn’t new, either."

The attack is concerning, given the widespread use of SMS as an authentication channel. “SMS is increasingly become a low-trust infrastructure, and there are other choices available to provide additional factor authentication, including local token generators and biometrics,” Walmsley said.

Because of the flaws in telco infrastructure, British telco company BT said that it is constantly upgrading its systems. According to a report from Reuters, the attack is not limited to Metro Bank but rather is a sampling of a wider attack on banks across Britain.

“Whether criminals use man-in-the-middle SS7 attacks or engage in SIM card swapping, it just goes to show that relying on a SMS-based method of two-factor authentication is not the most secure way to protect your most sensitive accounts,” said Jon Bottarini, hacker and lead technical program manager at HackerOne. “Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks.”

What’s hot on Infosecurity Magazine?