Reports broke yesterday that a relatively small number of customers of the UK’s Metro Bank have been hit by text message banking fraud. The Metro Bank aren’t the only ones to be hit, but appear to the the first to go public.
It appears that hackers have been able to intercept text messages which are supposed to add two factor authentication security to banking. Text message banking fraud is a complicated hack but, put simply, the exploit takes advantage of a weakness in the design of the SS7 networks used to set up and route text messages and calls. The SS7 network doesn’t authenticate who sends a request and so if a hacker gains access they can instruct the network to reroute text messages to themselves instead of the genuine recipient. For banking, if hackers capture the code the bank thinks they are sending to their customer then they can gain access to the bank account.
This is by no means a trivial hack – the hacker would still need the user’s online banking username and password before being able to capture the text message. This is a wider attack on the world’s banking systems and it’s not believed that Metro Bank is the first and nor is it likely to be the last bank who’s customer’s accounts are emptied.
This does raise a wider issue as the UK moves towards text messages as a means of authentication for online payments. Criminals who commit large numbers of relatively small financial crimes are largely ignored as banks simply refund their customers but the UK government wants to clamp down on this type of fraud.
Text message authentication is a measure intended to replace functions such as Verified by Visa in the online payment flow, but already has attracted criticism. Not only will text messages slow down online purchasing – you may be in a poor mobile signal area especially in rural areas, your mobile could be out of credit or battery or you may simply not have it to hand.
Now, if text message banking fraud is already taking place, it does open the question as to whether text messages are fit for purpose as a means to secure online payments where all a criminal will then need are the numbers off your bank card and your mobile number.