Cybercriminals intercept codes used for banking to empty your accounts

Crooks hacked telecom protocol SS7 to steal banking two-factor authentication codes.

Financial institutions worldwide use two-factor authentication (2FA) to keep their customers’ money safe. You’ve probably used them for your accounts — those short, 4- to 6-digit codes your bank sends when you try to log in for the first time on a new device, or that you have to input to approve a transaction. Usually, banks send those one-time passwords in SMS text messages. Unfortunately, SMS is one of the weakest ways to implement 2FA, because text messages can be intercepted. Think we’re being paranoid? Nope: That is exactly what just happened in the UK.

How can criminals get your text messages? Well, there are different ways, and one of the most extravagant is exploiting a security flaw in SS7, a protocol used by telecommunications companies to coordinate how they route texts and calls (you can read more about it in this post). The SS7 network does not care who sent a request. So, if malefactors manage to access it, the network will follow their commands to route text messages or calls, as if those commands were legitimate.

The whole scheme looks something like this: Cybercriminals obtain a target’s online banking username and password — possibly by using phishing, keyloggers, or banking Trojans. Then, they log in to the online bank and request a money transfer. Nowadays, most banks would ask for additional confirmation of the transfer and send a code for verification to the account owner. If the bank does that in the form of a text message, malefactors can exploit the SS7 vulnerability to intercept the text and enter the code, as if they had your phone. Banks accept the transfer as legitimate because the transaction was authorized twice: once with your password, and then again with the one-time code. So, the money goes to the criminals.

The UK’s Metro Bank confirmed to Motherboard that some of its customers had been impacted by this type of fraud. Back in 2017, Süddeutsche Zeitung reported that German banks had also faced the same problem.

There is some good news, too. As Metro Bank itself comments, an extremely small number of its clients had to deal with the problem, and “none have been left out of pocket as a result.”

Of course, the whole thing could’ve been avoided if the banks had used some other form of 2FA that didn’t rely on text messages (for example, an authenticator app or, say, a hardware-based authenticator such as YubiKey). Unfortunately, it’s the rare financial institution that allows any means of two-factor authentication other than SMSs. Let’s hope that in the near future more and more banks worldwide protect their clients better by offering other authentication choices.

This story offers two takeaways for users of any financial institution or service:

  • It’s good to use two-factor authentication wherever possible, but it’s even better to use secure versions of 2FA such as authenticator apps or YubiKeys. Try using these instead of SMS if such an option is available.
  • Use a reliable antivirus solution to keep banking Trojans and keyloggers off your systems, so that they can’t steal your logins and passwords.