Metro Bank has become the first major bank to fall victim of a new type of cyber attack targeting the codes sent via text messages to customers to verify transactions.
Hackers were able to intercept an additional layer of security offered by Metro Bank, which asks customers to type in a code sent by text message to their phones to confirm transfers and payments.
The attack, which was first discovered by Motherboard, involved hackers tracking phones remotely and intercepting messages to authorise payments from accounts. Other banks are understood to have also been affected by this attack.
Hackers were able to exploit flaws in SS7, a protocol used by telecoms companies to coordinate how they route calls and SMS messages around the world.
A Metro Bank spokesman said that a “small number” of the bank’s customers had been affected.
She said: “At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.
“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”
Metro Bank first reported the issue to authorities. Other companies were affected by this cyber attack, but have not been made public.
A National Cyber Security Centre spokesman said: “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).
“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”
Telecoms giant BT said that it is aware of the potential of SS7 being used to try to commit banking fraud. A spokesperson said: “Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.”
Michael Downs, Telecoms Cyber Security Director of EMEA at Positive Technologies said that this security vulnerability can be used to steal user’s personal data and track their location through their phones.
He said: “Users need to know that these type of attacks can be mitigated against and this is an opportunity for the operators to do so. This is not the first instance of this type of attack and it will not be the last.”
Metro Bank has had a difficult week after it was forced to admit that the Bank of England found a flaw in its accounts despite having previously claimed that it had spotted the error itself.
Investors were told that the bank’s risky assets would be $900m higher than expected due to the error.