Metro Bank hit by text message banking fraud

By Chris Dawson February 5, 2019 - 10:00 am

Reports broke yesterday that a relatively small number of customers of the UK’s Metro Bank have been hit by text message banking fraud. The Metro Bank aren’t the only ones to be hit, but appear to the the first to go public.

It appears that hackers have been able to intercept text messages which are supposed to add two factor authentication security to banking. Text message banking fraud is a complicated hack but, put simply, the exploit takes advantage of a weakness in the design of the SS7 networks used to set up and route text messages and calls. The SS7 network doesn’t authenticate who sends a request and so if a hacker gains access they can instruct the network to reroute text messages to themselves instead of the genuine recipient. For banking, if hackers capture the code the bank thinks they are sending to their customer then they can gain access to the bank account.

This is by no means a trivial hack – the hacker would still need the user’s online banking username and password before being able to capture the text message. This is a wider attack on the world’s banking systems and it’s not believed that Metro Bank is the first and nor is it likely to be the last bank who’s customer’s accounts are emptied.

This does raise a wider issue as the UK moves towards text messages as a means of authentication for online payments. Criminals who commit large numbers of relatively small financial crimes are largely ignored as banks simply refund their customers but the UK government wants to clamp down on this type of fraud.

Text message authentication is a measure intended to replace functions such as Verified by Visa in the online payment flow, but already has attracted criticism. Not only will text messages slow down online purchasing – you may be in a poor mobile signal area especially in rural areas, your mobile could be out of credit or battery or you may simply not have it to hand.

Now, if text message banking fraud is already taking place, it does open the question as to whether text messages are fit for purpose as a means to secure online payments where all a criminal will then need are the numbers off your bank card and your mobile number.

Comments are closed.

Featured in this article from the Tamebay Guide – companies that can help you grow and manage your business.

See More Companies >

Recent Comments

39 mins ago
Postie22 years: Seriously mate you have no clue,we’ve put up with so much bs from our employer...
1 hour ago
Alan Paterson: Yes Graham - but many people in my position see YOU as the bullies. why is...
1 hour ago
Alan Paterson: Let me tell you about our RM collection. My collection postman used to arrive 2...
1 hour ago
Alan Paterson: thank God for the alternatives to Royal Mail. Who are just as efficient (I have...