Banks Keep Using SMS Two Factor Authentication But It Sucks

Banks Keep Using SMS Two Factor Authentication But It Sucks

A number of banks in Europe, including the Metro Bank in the UK, have fallen victim to an attack dubbed SS7. SS7 is a protocol for routing text messages and phone calls. But it doesn’t rely on authentication and can be abused so that text messages and phone calls can be rerouted. A cybercriminal with access to the protocol can reroute text messages and swipe SMS-based two-factor authentication codes. Yet banks persist in using this unsecured tool for proving transactions.

The SS7 attack on Metro Bank notes that the attack vector, which was only exploitable by nation states but is not in the hands of criminal gangs, has been low for many years but left open. And despite that knowledge, banks have persisted in using this weak authentication method for online banking transactions. SS7 attacks been demonstrated in Australia for some time.

It’s important to note this isn’t a problem with a specific handset or mobile OS. It’s a protocol level issue.
The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, said in a statement “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)”.

There are other ways for banks to secure transactions. For example, they could leverage tokenised systems such as Google Authenticator and Microsoft Authenticator, or there tokens. For example, when I was a Bendigo Bank customer, there provided me with a key fob with a one-time password that changed every minute.

With the banking royal commission pushing banks and other financial institutions to pick up their game, it’s a prime opportunity to improve customer security at a time when the banking sector’s reputation is at a low.


  • TFA actually is awesome. MS authenticator is garbage.

    I would bet my salary that not a single person reading this article has suffered a SS7 attack. The truth is any SS7 style attack is really only going to be successful for a very short period of time, while it is happening people are at risk but it’s very different to passwords being stolen as it is only a short window when you happened to require TFA and you or the company you are authing with are under attack.

    This is like writing an article to get rid of ATMs because of the dodgy devices russian gangs installed on them that were quite successful recently.

    As far as user experience goes TFA is still king and the very minute risk of SS7 attacks isn’t enough to change that.

Log in to comment on this story!