[BreachExchange] Metro Bank victim to 2FA bypass attack

Destry Winant destry at riskbasedsecurity.com
Tue Feb 5 02:50:52 EST 2019 

https://www.fintech.finance/01-news/metro-bank-victim-to-2fa-bypass-attack/

It has been reported today that Metro Bank has fallen victim to a
sophisticated two-factor authentication (2FA) bypass attack after
hackers infiltrated a telecoms firm’s text messaging protocol.

Commenting on the breach, Ryan Gosling, Head of Partnerships and Telco
at Callsign said that the hack is unsurprising but there are steps
that other banks can take in terms of SS7, so they don’t suffer a
similar fate.

“There have been several documented cases of SS7 breaches in the past.
But, due to the underlying historical weaknesses in the technology, it
has been difficult to resolve the SS7 vulnerability.

“Whilst some effort has been made by the network operators to address
the problem, some SS7 messages just cannot be filtered at the network
boundaries because there are some legitimate reasons to send
cross-network messages e.g. to set up call roaming. Therefore, if an
attacker can infiltrate any SS7 network, they can send certain SS7
messages to their fraud target’s home network. These can be used to
set up misdirection of banking verification codes.

“The solution is three-fold. Firstly, banks must adopt a strong and
agile governance process in terms of authentication policies. They
should also regularly review these policies, so that they are fully up
to date and can adjust their authentication methods as required to
mitigate new threats. Secondly, they must employ a proactive
cybersecurity research arm, which can keep track of the new attacks
being made on SS7 and other legacy protocols.

“The final, and most crucial means of combatting the security issues
associated with SS7 is to use an intelligence engine to spot anomalous
behaviour. All banks can do is gather together as many data points as
possible: device, call divert, SIM swap, and roaming statuses from
MNOs and specialist services, in order to build up a picture of their
customers. An integrated approach should correlate this data to
provide a single view of the person undertaking the transaction and
the environmental circumstances around that. A feedback loop to the
intelligence engine to inform it about known fraud cases can also help
it learn about bad behaviour, and to recognise that a fraudster is at
work based on similar combinations of these data points in the
future.”

More information about the BreachExchange mailing list