Jump to content

Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts

Recommended Posts

Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.


66 fe


Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.


This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK's Metro Bank—that fell victim to such an attack.


The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.


"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," the NCSC told Motherboard in a statement.


“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”



"This is not an isolated case."



Metro Bank, which launched in 2010, confirmed it had faced an SS7 attack, and said in a statement it has supported a law enforcement investigation into SS7 attacks across the industry.


“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue,” a Metro Bank spokesperson told Motherboard in an email.


“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website,” the statement added.


UK Finance, a trade association for UK banks, told Motherboard in a statement that “The protection of customer accounts is an absolute priority for the industry. We are aware of reports of a small number of incidents and understand that immediate steps were taken by the relevant telecommunication bodies to resolve the issue.” Metro Bank is a member of UK Finance.


Major UK telco BT told Motherboard in a statement, “We’re aware of the potential of SS7 to be used to try to commit banking fraud. Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” This statement also applies to the telco EE, which is part of BT, the spokesperson added.


A Vodafone spokesperson told Motherboard in a statement, "We have specific security measures in place to protect our customers against SS7 vulnerabilities that have been deployed over the last few years, and we have no evidence to suggest that Vodafone customers have been affected. Vodafone is working closely with GSMA, banks and security experts on this issue." The GSMA is a trade group that represents mobile network operators.


O2 and TalkTalk did not provide statements in time for publication.



  • Like 2
  • Thanks 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...