5 hours ago
10
We've probably all received confirmation codes sent via text message when trying to sign into an account. Those codes are supposed to serve as two-factor authentication to confirm our identity and prevent scammers from accessing our accounts through a password alone. But who actually handles those SMS codes, and can those people be trusted?
New reports from both Bloomberg and collaborative investigative newsroom Lighthouse Reports shed light on how and why text-based codes can put people at risk. In their reports, both organizations revealed that they obtained at least a million data packets from a phone industry whistleblower. The packets contained SMS messages with two-factor authentication codes that were received by individual users.
Also: Why multi-factor authentication is absolutely essential in 2025
You may think that such messages are handled directly by the companies and websites for which you have an account. But based on analysis conducted by Bloomberg and Lighthouse, that's not necessarily the case. In this instance, the messages passed through a controversial Swiss outfit named Fink Telecom Services. And Bloomberg used the term controversial to describe Fink for a reason.
"The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location," Bloomberg reported. "Cybersecurity researchers and investigative journalists have published reports alleging Fink's involvement in multiple instances of infiltrating private online accounts."
Analyzing the data, Bloomberg and Lighthouse found that the senders included such major tech players as Google, Meta, and Amazon. Also in the mix were several European banks, apps such as Tinder and Snapshot, the Binance cryptocurrency exchange, and even encrypted chat apps like Signal and WhatsApp.
Why would companies entrust two-factor authentication codes to an outside provider, especially one with a controversial reputation? Convenience and money. External contractors can often handle these types of text messages more cheaply and easily than the companies themselves. That's especially true if a business has to deal with customers around the world, a process that can be complicated and expensive.
Instead, companies turn to providers like Fink Telecom because of their access to "global titles." A global title is a network address that lets carriers communicate across different countries. This makes it seem as if a company is based in the same country as any of its customers. In its analysis, Lighthouse said it found that Fink used global titles in Namibia, Chechnya, the UK, and its native Switzerland.
Also: Got a new password manager? Don't leave your old logins exposed in the cloud - do this next
Though the practice of outsourcing such messages may be expedient, it does run risks. This past April, UK phone regulator Ofcom banned global title leasing for UK carriers, citing the threat to mobile phone users.
The key question here is whether the data in the records examined by Bloomberg and Lighthouse was ever at risk. In an exchange with Bloomberg, Fink Telecom CEO Andreas Fink said: "Our company provides infrastructure and technical services, including signalling and routing capabilities. We do not analyze or interfere with the traffic transmitted by our clients or their downstream partners."
As for the companies that do the outsourcing, Google, Meta, Signal, and Binance told Bloomberg that they didn't work directly with Fink Telecom. Google added that it was moving away from SMS as a way to authenticate accounts, while Signal said that it offered ways to prevent SMS vulnerabilities. A spokesperson for Meta told Bloomberg that it alerted its partners not to engage with Fink Telecom.
Alternatives to SMS
Whether or not the data in question was exposed, the problem remains the same. Since SMS lacks the proper encryption, it has never been a safe and secure way to exchange authentication codes or other private information. For that reason, all companies should stop using it and turn to stronger methods. Of course, that's easier said than done. Still, there are steps you can take to avoid this trap.
Also: The best security keys of 2025: Expert tested
When setting up two-factor authentication for an account, don't choose the SMS option. Instead, use either a physical security key or, more easily, an authenticator app such as Microsoft Authenticator or Google Authenticator. Such apps display a code that you must enter on the website or app to confirm your login. Since the codes change every 30 seconds and are generated on your device, this method is much stronger and much more resistant to theft than SMS.
Get the morning's top stories in your inbox each day with our Tech Today newsletter.
English (US) ·