Metro Bank admits massive data breach with SS7 attack

Metro Bank has become the first relevant financial institution to disclose SS7 attacks against its customers, although this could be more common than expected

A new variant of cyberattack has been used against the British financial institution Metro Bank. According to network security and ethical hacking specialists from the International Institute of Cyber Security, a group of hackers has been exploiting vulnerabilities in the SS7 signaling protocol to intercept the text messages that the bank sends its customers to authorize different transactions.

The Signaling System 7 (SS7) is a set of protocols that allows connections between two mobile networks, mention experts in network security. The information circulating between the two networks is necessary to route calls and text messages between multiple networks. Experts theorize that attackers exploited a known vulnerability in the SS7 protocol to bypass multi-factor authentication used in Metro Bank systems.

“Before, only intelligence agencies or government contractors had the required tools to carry out this kind of intrusions; however, we have been able to confirm that groups of cybercriminals also have at their reach this kind of tools and are using them to empty bank accounts”, it is read in the announcement of Metro Bank.  Although the organization mentions that this was an isolated fact, network security specialists believe that SS7 attacks on banking institutions could be much more frequent than we thought.

“At Metro Bank we take the security of our customers very seriously. We will collaborate with the telecommunications companies and the responsible authorities, and we also reaffirm that the relevant security measures are already being implemented”, said the bank spokesman.

The banking institution confirmed that “only a small number of customers” were affected by the incident. “We ask our customers to stay alert and report any anomalous activity in their accounts,” adds the bank statement. Metro Bank immediately notified the competent authorities; so far it is the only banking institution that has reported an attack of this kind.

“We are aware of the exploitation of this vulnerability in SS7 to intercept text messages used as multi-factor authentication,” confirmed the spokesman of the United Kingdom National Cyber Security Center (UK NCSC).  

Karsten Nohl, a cybersecurity specialist, has conducted multiple investigations into the vulnerabilities that affect the SS7 protocol and states that there are many banks that have suffered this kind of attack: “The confirmation codes on these text messages could be available to anyone”.

Security specialists believe that behind these attacks there is a group of cybercriminals with advanced knowledge and multiple tools at their reach.  “This group of hackers could have gained access from legitimate vendors, or be leveraging that access, making SS7 requests seem a little more legitimate,” Nohl mentioned.