kontekbrothers/Getty
We've probably all received confirmation codes sent via text message when trying to sign into an account. Those codes are supposed to serve as two-factor authentication to confirm our identity and prevent scammers from accessing our accounts through a password alone. But who actually handles those SMS codes, and can those people be trusted?
New reports from both Bloomberg and collaborative investigative newsroom Lighthouse Reports shed light on how and why text-based codes can put people at risk. In their reports, both organizations revealed that they obtained at least a million data packets from a phone industry whistleblower. The packets contained SMS messages with two-factor authentication codes that were received by individual users.
Also: Why multi-factor authentication is absolutely essential in 2025
You may think that such messages are handled directly by the companies and websites for which you have an account. But based on analysis conducted by Bloomberg and Lighthouse, that's not necessarily the case. In this instance, the messages passed through a controversial Swiss outfit named Fink Telecom Services. And Bloomberg used the term controversial to describe Fink for a reason.
"The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location," Bloomberg reported. "Cybersecurity researchers and investigative journalists have published reports alleging Fink's involvement in multiple instances of infiltrating private online accounts."
Analyzing the data, Bloomberg and Lighthouse found that the senders included such major tech players as Google, Meta, and Amazon. Also in the mix were several European banks, apps such as Tinder and Snapshot, the Binance cryptocurrency exchange, and even encrypted chat apps like Signal and WhatsApp.
Why would companies entrust two-factor authentication codes to an outside provider, especially one with a controversial reputation? Convenience and money. External contractors can often handle these types of text messages more cheaply and easily than the companies themselves. That's especially true if a business has to deal with customers around the world, a process that can be complicated and expensive.
Instead, companies turn to providers like Fink Telecom because of their access to "global titles." A global title is a network address that lets carriers communicate across different countries. This makes it seem as if a company is based in the same country as any of its customers. In its analysis, Lighthouse said it found that Fink used global titles in Namibia, Chechnya, the UK, and its native Switzerland.
Also: Got a new password manager? Don't leave your old logins exposed in the cloud - do this next
... continue reading