It has been reported today that Metro Bank has fallen victim to a sophisticated two-factor authentication (2FA) bypass attack after hackers infiltrated a telecoms firm’s text messaging protocol.
Commenting on the breach, Ryan Gosling, Head of Partnerships and Telco at Callsign said that the hack is unsurprising but there are steps that other banks can take in terms of SS7, so they don’t suffer a similar fate.
“There have been several documented cases of SS7 breaches in the past. But, due to the underlying historical weaknesses in the technology, it has been difficult to resolve the SS7 vulnerability.
“Whilst some effort has been made by the network operators to address the problem, some SS7 messages just cannot be filtered at the network boundaries because there are some legitimate reasons to send cross-network messages e.g. to set up call roaming. Therefore, if an attacker can infiltrate any SS7 network, they can send certain SS7 messages to their fraud target’s home network. These can be used to set up misdirection of banking verification codes.
“The solution is three-fold. Firstly, banks must adopt a strong and agile governance process in terms of authentication policies. They should also regularly review these policies, so that they are fully up to date and can adjust their authentication methods as required to mitigate new threats. Secondly, they must employ a proactive cybersecurity research arm, which can keep track of the new attacks being made on SS7 and other legacy protocols.
“The final, and most crucial means of combatting the security issues associated with SS7 is to use an intelligence engine to spot anomalous behaviour. All banks can do is gather together as many data points as possible: device, call divert, SIM swap, and roaming statuses from MNOs and specialist services, in order to build up a picture of their customers. An integrated approach should correlate this data to provide a single view of the person undertaking the transaction and the environmental circumstances around that. A feedback loop to the intelligence engine to inform it about known fraud cases can also help it learn about bad behaviour, and to recognise that a fraudster is at work based on similar combinations of these data points in the future.”