Cyber-criminals hack UK-based bank using SMS two-factor authentication vulnerability – how it could have been prevented

UK-based Metro Bank has this week reportedly fallen victim to a hack from cyber-criminals using the bank’s SMS two-factor authentication as a means to compromise customer data.

Through exploiting the weak multi-factor authentication method used by the bank for its customers, hackers were able to compromise a known flaw in the SS7 protocol.

Signalling System 7 (SS7) was developed in 1975 to perform essential operations on the public switched telephone network and it is infrastructure that is still used today for transmitting SMS messages – often used in two-factor authentication (2FA) systems like Metro Bank’s. SS7 was not designed to be secure.

It is fair to say that judging by the statements from Metro Bank a number of steps have been quickly implemented to protect customers against the breach and the bank will be carefully scrutinising its method of digitally authenticating customers going forwards.

However, the latest attack on SMS 2FA only goes to highlight the vulnerability of this weak method of authentication and the ease at which cyber-criminals can intercept passwords to access customer data.

“This latest hack by cyber-criminals reinforces why sending one-time-passwords (OTP) via SMS is not secure.” Explains Allen Storey, Chief Product Officer at Intercede.

“SMS was not developed to transmit sensitive data. Even if OTPs have a short shelf life of 15 minutes, organisations are still in effect telegramming a password which can easily be stolen and reused in that timeframe.

“This is why security advisory bodies such as the UK’s National Cyber Security Council (NCSC) and National Institute of Standards and Technology (NIST) in the United States recognise SMS 2FA as insecure and vulnerable to cyber-attack.”

Attacks like these can be nullified by adopting a much stronger form of 2FA based on Public Key Infrastructure (PKI) principles, utilising cryptographically protected certificates and keys.

With this, a private key remains protected on a secure device (so it cannot be copied or stolen), this key is then used to ‘digitally sign’ each authentication attempt or operation.

The resulting digitally signed transaction is unique and bound to the specific operation being performed, therefore it cannot be reused. Combining the use of a digital identity with a second authentication factor (e.g. something I know such as a PIN, or something I am such as a fingerprint) allows organisations to combine high levels of security with frictionless user experiences.

Intercede, through its MyID® credential management system (CMS), offers large enterprises and governments a robust, proven method of issuing and managing secure digital identities using PKI.

Find out more about how MyID safeguards the world’s governments and enterprises against data breach here:


Trusted by Governments and Enterprises Worldwide

Where protecting systems and information really matters, you will find Intercede.  Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose Intercede solutions to protect themselves against data breach, comply with regulations and ensure business continuity.