You’d think that in today's high-tech society, nobody uses text-messages as part of their 2-factor authentication system. But despite hoping that this was dead and buried practice, every now and then we see examples of when it’s being used and subsequently hacked. Recently, Metro Bank in the UK and its customers suffered the consequences from this, which goes to show it’s time we start using better and safer solutions.
Telecom operators use what’s called an SS7 protocol to reroute both text messages and calls, and also offers the possibility of geo-positioning cellphones. The problem is that the owner of the cellphone doesn’t need to be informed of this, meaning anyone with access can reroute text messages and track the whereabouts of the phone as they choose. This could, for example, be the Telecom operator itself, a government agency, or the not-so-friendly hacker.
All the hackers need to do is figure out the user’s login and password to their bank, things that are relatively easy to get your hands on these days. They then simply use the SS7- protocol to reroute the authentication text message to their own phone and immediately get full access to the bank account. This exact thing happened to customers of the Metro Bank in the UK recently, as reported by “Motherboard”. The SS7-attacks drained the accounts of “an extremely small number” of customers according to representatives of the bank. But regardless of the number of victims, this should really not be a hack that is possible to perform any more. Especially not at a bank that millions of individuals and companies trust with their money.
Metro Bank, Crawley, UK. (Photo Robin Webster)
The victims were of course compensated by Metro Bank, and hopefully, both the bank and customers have learnt their lesson and immediately abandon these inadequate practices.
There are however still thousands of services, banks and others that rely on text- messaging for their 2-factor authentication, apparently living in the belief that their system is secure. But implementing just any 2-factor authentication protocol does not mean your system is secure, much like having a seat-belt made out of paper won’t do you much good in a car crash.
So, take a good look at the service providers you use. if they use text messaging as part of their two-factor authentication inform them of their errors and find yourself another supplier. You simply aren’t safe where these practices are being used.
Covr Security AB, located in Malmo, Gothenburg, Stockholm, Frankfurt and Palo Alto, is a Swedish cybersecurity company. We have developed a next-generation, user-centric mobile security management app for a wide range of heavily regulated digital industries that depend on strong customer authentication and privacy. The Covr app is available both as an off-the-shelf authentication mobile app ready for a quick launch and as a powerful SDK for hassle-free integration into existing mobile applications.