By now everyone should know that two-factor authentication via SMS is outdated and insecure. But in case anyone needs a reminder, here it is: Metro Bank in the UK was recently the victim of something called SS7 attacks, which basically allow anyone with access to reroute text messages and calls as they please, as well as track the location of a compromised phone. This is far from the first time this has happened, and it seems European banks are more at risk than US banks.
Telecoms use the SS7 protocol to route text messages and phone calls, but it has a glaring issue: The user accessing the protocol does not need to be authenticated, which means anyone (government agencies, cybercriminals, etc.) with access can reroute text messages and phone calls for a compromised number, or use geolocation to track a phone, as they please. Once a cybercriminal with access to the protocol has a target's online banking username and password, all they would need to do reroute text messages for that person's number as desired, trigger an SMS-based two-factor authentication code to be sent, and voila.
According to a report from Motherboard, Metro Bank confirmed that "an extremely small number" of its customers had accounts compromised by SS7 attacks, which were used to drain the funds from these compromised bank accounts. Metro Bank added that none of these account owners had "been left out of pocket as a result."
In 2017, bank accounts in Germany fell victim to SS7 attacks, but Metro Bank appears to be the first confirmed UK bank to have been compromised by these attacks. A source told Motherboard that while SS7 attacks are global in scope, they seem to particularly target European bank accounts and that accounts in the US are not as impacted.
The takeaway here is that no matter where you live, if your bank offers any sort of multifactor authentication that does not rely on SMS, use it right away. More banks should really get with the times already.