Damning Investigations Show 1 million SMS verification texts pass through third-party company, highlighting serious vulnerabilities in SMS-based security systems.
Ding
"Please do not share this code with anyone."
It's a text we've all received countless times, but unbeknownst to many recipients, these top-secret security codes may have already passed through an obscure third-party company before they ever reached your phone. Here's the rundown:
Research led by Bloomberg and Lighthouse Reports recently found that SMS security codes aren't as secure as many members of the public were led to believe. These reports found that many SMS security code providers utilised a known phone industry whistleblower as a middleman. Over one million text message codes were found to have passed through Swiss organisation, Fink Telecom Services, before being delivered to the intended recipient, highlighting serious vulnerabilities in SMS-based security systems that millions of users rely on daily. These codes stemmed from a range of online services, including banking applications, email services, online marketplaces, dating platforms, and messaging apps.
So what's the big deal if these codes were intercepted as long as they went to the right place anyway? Well, the biggest red flag is the lack of encryption. SMS messages are sent in clear text without encryption, making them vulnerable to interception by attackers across different networks.
The companies that manage your vital data often use intermediaries to send text messages at cheaper rates instead of managing things internally. These recent findings have shown that your 2FA code doesn't travel directly from your bank to your phone. Instead, it may pass through multiple third-party services, each with potential access to your sensitive authentication data. Maintaining privacy and security standards when working with third parties is further complicated because Fink (and others like it) are often subcontractors, not hired directly by the original companies.
Why This Matters More Than You Think
One-time SMS codes have been hugely popular in cybersecurity measures over the past years, and have been utilised to sign into everything from banking to email addresses. The assumption has been that these codes provide additional layers of security to protect you, and yet this breach has shown that the codes may be visible to others long before you receive them. What was once believed to be a private sanction between you and the organisation you've trusted has been exposed to include other onlookers that you don't know, nor have ever agreed to having seen your confidential data. If other parties are receiving these codes before you, it increases the risk that your accounts can be compromised. And which organisations were the ones sending their users' 2FA through Fink? Only some of the biggest companies in the world, including Google, Amazon, Meta, and more.
The company at the centre of this breach, Fink Telecom Services, has a particularly concerning background. Fink Telecom Services, which routes these authentication messages through its network, has previously faced scrutiny over alleged connections to government surveillance agencies and contractors involved in mobile phone tracking.
This Isn't The First Blow SMS Security Codes Have Faced
This isn't the first time the security of SMS codes has come into question. SIM swap attacks or SIM hijackings are on the rise. These scams occur when fraudsters convince mobile service providers to transfer personal data to a new SIM card using stolen personal information of the victim.
What to Use Instead
Top Secure Alternatives:
- Authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy that generate time-based one-time passwords (TOTP) locally on devices.
- Hardware security keys (physical tokens) that provide the most secure form of 2FA for protecting sensitive accounts.
- Passkeys stored securely on devices and synced across trusted ecosystems, offering protection against interception, phishing, and SIM-swapping attacks.
