Banks Keep Using SMS Two Factor Authentication But It Sucks

A number of banks in Europe, including the Metro Bank in the UK, have fallen victim to an attack dubbed SS7. SS7 is a protocol for routing text messages and phone calls. But it doesn’t rely on authentication and can be abused so that text messages and phone calls can be rerouted. A cybercriminal with access to the protocol can reroute text messages and swipe SMS-based two-factor authentication codes. Yet banks persist in using this unsecured tool for proving transactions.

The SS7 attack on Metro Bank notes that the attack vector, which was only exploitable by nation states but is not in the hands of criminal gangs, has been low for many years but left open. And despite that knowledge, banks have persisted in using this weak authentication method for online banking transactions. SS7 attacks been demonstrated in Australia for some time.

It’s important to note this isn’t a problem with a specific handset or mobile OS. It’s a protocol level issue.
The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, said in a statement “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)”.

There are other ways for banks to secure transactions. For example, they could leverage tokenised systems such as Google Authenticator and Microsoft Authenticator, or there tokens. For example, when I was a Bendigo Bank customer, there provided me with a key fob with a one-time password that changed every minute.

With the banking royal commission pushing banks and other financial institutions to pick up their game, it’s a prime opportunity to improve customer security at a time when the banking sector’s reputation is at a low.


One response to “Banks Keep Using SMS Two Factor Authentication But It Sucks”

Leave a Reply