Metro Bank has fallen victim to a new type of cyber fraud that targets the codes sent via text messages used to verify transactions.
The UK-based challenger bank made the admission on Monday but added that only a small number of customers had been affected and that none has been left out of pocket.
The incident is also believed to be part of a wider attack on UK banks although no others have yet gone public.
Hackers were able to exploit a weakness in the additional layer of security offered by Metro and other banks that asks customers to type in a code sent by text message to confirm transactions as part of its 2-factor authentication (2FA) process.
According to tech website Motherboard, which first reported the breach, the weakness in the SS7 protocol used by telecoms companies has been known by cyber security bodies and telecoms companies for a number of years.
Back in 2017 telecom operator 02 confirmed that hackers had exploited SS7 weaknesses in messages used by German banks.
By tracking the phones remotely and then intercepting the messages, fraudsters are able to gain access to customer accounts.
While admitting that text messages are not the most secure form of communication, a spokesperson for the National Cyber Security Centre in the UK told the Daily Telegraph newspaper that 2FA still offers a huge advantage over not using any 2FA at all.
Despite the endorsement of 2FA, it is still not as widely used acorss the banking sector as security advocates would like. In late January UK consumer magazine Which? reported that seven out of the UK's top 12 banks do not offer 2FA despite having the technology to do so.
A Metro Bank spokesman says: “At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.
“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result."
Editorial | what does this mean?