Cybercriminals are exploiting flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world, to empty bank accounts by intercepting messages sent for two-factor-authentication(2FA).

The exploit can allow threat actors to track phones across the planet and intercept text messages and phone calls without hacking the phone itself.

While known that intelligence agencies and surveillance contractors could carry out these kind of attacks, Motherboard reported confirmation of financially-motivated criminal organizations using the technique to empty accounts at the U.K.’s Metro Bank in a recent attack.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud,” a Metro Bank spokesperson told Motherboard in an email. “We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.”

Customers at other banks have also been victims of these attacks and the spokesperson went on to say that those affected at their bank represent only a small percentage of those affected.

The attacks highlight the issued of the SS7 network not authenticating who sends requests so SS7 will treat the commands of whoever gains access to the network all the same regardless of the validity.

To carry out the attack,  the threat actor typically first needs a target’s online banking username and password, if the bank asks for confirmation code sent via text message, the threat actors use the exploit to intercept the message and gain access to the account.

“Whether criminals use man-in-the-middle Signaling System 7 (SS7) attacks or engage in SIM card swapping, it just goes to show that relying on a SMS based method of two-factor authentication is not the most secure way to protect your most sensitive accounts,” Jon Bottarini, hacker and lead technical program manager at HackerOne told SC Media.

“Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks,” he said.