Cyber Incident Victim: Metro Bank
Date:
Jan 2019
Location:
United Kingdom
Summary
Metro Bank fell victim to an SS7 protocol exploit, where attackers intercepted SMS-based two-factor authentication codes to bypass security and access customer accounts. The UK’s National Cyber Security Centre confirmed criminals exploited this telecommunications vulnerability to target banking systems, with industry sources indicating broader incidents across multiple financial institutions, particularly in Europe. While only a small number of the bank’s customers were impacted, none suffered financial losses due to fraud protections. Telecom providers acknowledged implementing safeguards against SS7 vulnerabilities, but inherent flaws in the protocol—such as lacking request authentication—persisted, enabling targeted interception of sensitive messages. Cybersecurity researchers emphasized that such attacks, though still relatively uncommon, were increasingly leveraged by financially motivated criminal groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2019, Metro Bank became the first publicly confirmed UK financial institution targeted through exploitation of the SS7 telecommunications protocol, a legacy system used globally to coordinate call and text routing between carriers. Attackers leveraged inherent vulnerabilities in SS7—which lacks authentication mechanisms to verify the legitimacy of network requests—to intercept SMS-based two-factor authentication (2FA) codes sent to customers during online banking transactions. After first obtaining victims’ online banking credentials through unspecified means (potentially including phishing), criminals exploited SS7 to reroute security text messages containing one-time verification codes. This allowed them to bypass SMS-based 2FA protections and authorize fraudulent transfers from compromised accounts. The National Cyber Security Centre (NCSC) confirmed this method was actively being used to target UK bank accounts, noting that while SMS authentication is less secure than other 2FA methods, it still provides significant security benefits compared to single-factor authentication.
Metro Bank acknowledged the incident, stating an "extremely small number" of customers were impacted but that none suffered financial losses due to the bank’s reimbursement policies. The bank supported a law enforcement investigation into industry-wide SS7 attacks and emphasized existing safeguards while urging customers to remain vigilant. UK Finance, a banking trade association, characterized the incidents as limited in scale and confirmed telecommunications providers had taken "immediate steps" to address vulnerabilities. Telecom operators including BT, EE, and Vodafone stated they had implemented SS7-specific security measures, with Vodafone noting no evidence of customer impact. Security researchers highlighted the broader pattern of SS7 exploitation against banks globally, particularly in Europe, with earlier incidents reported in Germany. The attacks were described as highly targeted rather than indiscriminate, requiring attackers to first obtain banking credentials before exploiting SS7 to intercept authentication messages. Industry experts noted criminal groups offering SS7 interception services in underground markets, though some researchers believed sophisticated financial hacking operations likely maintained exclusive access to these capabilities to avoid operational exposure. The incident underscored longstanding concerns about SS7 vulnerabilities within the telecommunications sector, with security flaws remaining exploitable despite years of documented risks and prior attacks.