Financial institutions worldwide use two-factor authentication (2FA) to keep their customers\u2019 money safe. You\u2019ve probably used them for your accounts \u2014 those short, 4- to 6-digit codes your bank sends when you try to log in for the first time on a new device, or that you have to input to approve a transaction. Usually, banks send those one-time passwords in SMS text messages. Unfortunately, SMS is one of the weakest ways to implement 2FA, because text messages can be intercepted. Think we\u2019re being paranoid? Nope: That is exactly what just happened in the UK.<\/p>\n
How can criminals get your text messages? Well, there are different ways, and one of the most extravagant is exploiting a security flaw in SS7, a protocol used by telecommunications companies to coordinate how they route texts and calls (you can read more about it in this post<\/a>). The SS7 network does not care who sent a request. So, if malefactors manage to access it<\/a>, the network will follow their commands to route text messages or calls, as if those commands were legitimate.<\/p>\n The whole scheme looks something like this: Cybercriminals obtain a target\u2019s online banking username and password \u2014 possibly by using phishing, keyloggers, or banking Trojans. Then, they log in to the online bank and request a money transfer. Nowadays, most banks would ask for additional confirmation of the transfer and send a code for verification to the account owner. If the bank does that in the form of a text message, malefactors can exploit the SS7 vulnerability to intercept the text and enter the code, as if they had your phone. Banks accept the transfer as legitimate because the transaction was authorized twice: once with your password, and then again with the one-time code. So, the money goes to the criminals.<\/p>\n The UK\u2019s Metro Bank confirmed to Motherboard<\/a> that some of its customers had been impacted by this type of fraud. Back in 2017, S\u00fcddeutsche Zeitung<\/a> reported that German banks had also faced the same problem.<\/p>\n There is some good news, too. As Metro Bank itself comments, an extremely small number of its clients had to deal with the problem, and \u201cnone have been left out of pocket as a result.\u201d<\/p>\n Of course, the whole thing could\u2019ve been avoided if the banks had used some other form of 2FA that didn\u2019t rely on text messages (for example, an authenticator app<\/a> or, say, a hardware-based authenticator such as YubiKey). Unfortunately, it\u2019s the rare financial institution that allows any means of two-factor authentication other than SMSs. Let\u2019s hope that in the near future more and more banks worldwide protect their clients better by offering other authentication choices.<\/p>\n This story offers two takeaways for users of any financial institution or service:<\/p>\n