When we try to sign in an account, we receive all the confirmation code sent through the text message. Those codes are to serve two-factor authentication to confirm our identity and prevent scammers from reaching our accounts alone through passwords. But who really handles those SMS code, and can those people be trusted?
New report from both Bloomberg And allies investigative news room Lighthouse report Lesson-based codes can highlight people, putting people at risk. In their report, the two organizations revealed that they received at least one million data packets from a phone industry wheylorer. The packets had SMS messages with two-factor authentication code that were obtained by individual users.
Also also: Why multi-factor authentication is absolutely necessary in 2025
You may think that such messages are directly handled by companies and websites for which you have an account. But based on the analysis made by Bloomberg and Lighthouse, not necessarily the case. In this example, Sandesh passed through a controversial Swiss organization known as Fink Telecom services. And Bloomberg used the controversial word to describe Fink for one reason.
“The company and its founder have worked with government detective agencies and contractors of monitoring industry to survey and track user space,” Bloomberg said. “Cyber security researchers and investigative journalists have published the report accusing Fink participation in several examples of infiltration into private online accounts.”
Analyzing the data, Bloomberg and Lighthouse found that sectors consisted of prominent technical players such as Google, Meta and Amazon. Apart from this, there were many European banks in the mixture, tinder and snapshot such as apps, bense cryptocurrency exchanges, and even chat apps such as signal and WhatsApp were encrypted.
Why would companies hand over a two-factor authentication code to an external provider, especially with a controversial reputation? Convenience and money. External contractors can often handle these types of text messages more cheap and easily than companies themselves. This is especially true. If a business has to deal with customers around the world, a process that can be complex and expensive.
Instead, companies move to providers such as Fink Telecom because they have access to “global titles”. A Global title There is a network address that the carrier allows to communicate in different countries. It seems that it seems as if a company is based in a country similar to any of its customers. In its analysis, Lighthouse stated that she found that Fink used the global title in Namibia, Chechnya, UK and its original Switzerland.
Also: Got a new password manager? Do not leave your old login exposed in cloud – do it next
Although the practice of outsourcing such messages can be expedient, it runs the risk. This last April, UK Phone Regulatory Global title lease banned for Britain carrierMobile phone citing danger to users.
The important question here is whether the data in the records examined by Bloomberg and Lighthouse was ever at risk. In an exchanges with Bloomberg, Fink Telecom CEO Andreas Fink said: “Our company offers infrastructure and technical services including signaling and routing capabilities. We do not analyze or interfere with traffic transmitted by our customers or their downstream partners.”
For outsourcing companies, Google, Meta, Signal and Benance told Bloomberg that they did not work directly with Fink Telecom. Google said it was moving away from SMS as a way to certify accounts, while Signal said it presented ways to stop SMS weaknesses. A Meta spokesperson told Bloomberg that it alerted its partners not to engage with Fink Telecom.
Options for SMS
Whether the data was exposed in the question or not, the problem is the same. Since SMS lacks proper encryption, it has never been a safe and safe way to exchange certification code or other private information. For that reason, all companies should stop using it and turn to strong methods. Of course, it is easier than it is said. Nevertheless, there are steps that you can avoid this trap.
Also: Best Security Kunj of 2025: Expert Testing
When setting two-factor authentication for an account, do not choose SMS options. Instead, either use a physical security key or, more easily, an authentic app such as microsoft authentic or Google authentic. Such apps display a code that you have to enter on the website or app to confirm your login. Since the codes change every 30 seconds and are generated on your device, this method is much more strong and more resistant to theft than SMS.
Get top stories of morning with us in your inbox every day Tech Today Newsletter.
