It has been reported that Metro Bank has been targeted by attacks that bypass two-factor authentication using vulnerabilities in the mobile network. Flaws in the SS7 protocol, used by telecoms operators, mean that the codes sent out over SMS can be intercepted.
— Information Security Buzz (@Info_Sec_Buzz) June 17, 2016
Experts Comments below:
Michael Downs, Telecoms Cyber Security Director of EMEA at Positive Technologies:
“For years, it has been known that the Signally Systems No.7 (SS7) protocol, widely used by telecoms operators, has major security flaws. Its security weaknesses can not only be used for SMS interception – as is the case here with Metro Bank – but also to steal user’s personal data, location tracking through their phones, signalling fraud and also hijacking devices to orchestrate denial of service attacks. SMS interception is just one of the easiest ways to exploit these flaws – our own research on telecoms infrastructure has found that nine out of ten attempted SMS interception attacks are successful.
“What is even more worrying is that, despite the fact that operators have spent billions on upgrading networks, our research shows that the same vulnerabilities exist. The risk of attacks and consequences will only grow as the world moves to be more and more connected with Internet of Things a primary driver. What this attack shows is that a security issue within the telecoms industry isn’t just a problem for the telecoms industry – it effects every company and device that relies on the network – which is pretty much everyone.
“Users need to know that these type of attacks can be mitigated against and this is an opportunity for the operators to do so. This is not the first instance of this type of attack and it will not be the last.”
Jon Bottarini, Hacker and Lead Technical Program Manager at HackerOne:
“Whether criminals use man-in-the-middle Signaling System 7 (SS7) attacks or engage in SIM card swapping, it just goes to show that relying on a SMS based method of two-factor authentication is not the most secure way to protect your most sensitive accounts. Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks.”