A Swiss telecom company with surveillance industry ties gained access to over one million SMS authentication codes from major tech companies including Google, Meta, and Amazon, exposing millions of users to potential security breaches despite relying on SMS-based two-factor authentication for protection.
Key Takeaways
- Fink Telecom Services, a Swiss company with ties to government spy agencies, had access to over one million SMS containing two-factor authentication codes in June 2023 alone
- The compromised authentication codes came from major tech companies including Google, Meta, and Amazon, affecting users across more than 100 countries
- SMS-based two-factor authentication is fundamentally insecure because messages travel through multiple third parties without proper encryption
- Users should switch to more secure authentication methods like WebAuthn credentials, physical security keys, or authenticator apps that don’t rely on SMS
- Companies outsource SMS authentication to save money, often sacrificing security and privacy in the process
Massive Security Breach Exposes Digital Identity Vulnerability
An investigation conducted by Bloomberg Businessweek and Lighthouse Reports has uncovered a critical security flaw that threatens millions of Americans who rely on text messages for account security. The investigation revealed that Fink Telecom Services, a Swiss company with troubling connections to surveillance activities, had unrestricted access to over one million SMS messages containing sensitive two-factor authentication codes in June 2023 alone. These authentication codes were being sent by major technology companies including Google, Meta, Amazon, and others to recipients in more than 100 countries.
“An investigation led by Bloomberg and Lighthouse Reports—based on data received from an industry whistleblower—found that more than a million text messages containing 2FA codes were visible to Swiss company Fink Telecom Services during June 2023,” according to Bloomberg and Lighthouse Reports.
The Dangerous World of SMS Authentication
This security breach highlights what cybersecurity experts have been warning about for years: SMS-based two-factor authentication is fundamentally flawed. When you receive a six-digit code via text message to verify your identity, that message travels through numerous intermediaries before reaching your phone. Along this journey, the message remains largely unencrypted and accessible to various third parties involved in the transmission process. The problem stems from how the global telecommunications system was designed decades ago, with little consideration for modern security concerns.
“The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location,” according to Bloomberg, about Fink Telecom.
What makes this situation particularly alarming is Fink Telecom’s reported connections to government surveillance operations. The company has allegedly worked with spy agencies and surveillance contractors, raising serious questions about who might have access to these authentication codes and how they might be misused. Despite these concerns, Fink Telecom CEO Andreas Fink issued a statement defending the company’s practices while not directly addressing the security implications of their access to authentication codes.
Corporate Cost-Cutting at the Expense of Security
The root of this problem lies in how major tech companies handle authentication messages. Rather than maintaining direct relationships with mobile carriers worldwide, companies typically outsource SMS delivery to intermediaries like Fink Telecom to reduce costs. These intermediaries use technical mechanisms called “global titles” to facilitate international message routing – a practice so concerning that it has been banned in the UK due to security risks. This cost-cutting approach creates a complex web of third parties with access to sensitive authentication information.
“Our company provides infrastructure and technical services, including signalling and routing capabilities. We do not analyze or interfere with the traffic transmitted by our clients or their downstream partners,” said Andreas Fink, Telecom CEO in response to the investigation.
When confronted with the findings, companies like Google and Meta distanced themselves from Fink Telecom, stating they don’t work directly with the company. However, this response fails to address the fundamental issue – their authentication codes are still passing through Fink’s systems due to the complex routing architecture of global telecommunications networks. Some companies have acknowledged the problem and are gradually moving away from SMS-based authentication, but progress has been slow and many services still rely primarily on text messages for verification.
Protecting Yourself in an Insecure World
For Americans concerned about their digital security, cybersecurity experts are clear: stop using SMS for two-factor authentication whenever possible. More secure alternatives include dedicated authenticator apps like Google Authenticator or Microsoft Authenticator, which generate time-based codes directly on your device without transmitting them over unsecured networks. Physical security keys from companies like YubiKey provide even stronger protection by requiring a physical device to be present during authentication, eliminating remote interception possibilities.
“As reported by Bloomberg Businessweek, an obscure third-party telecom service had access to at least one million 2FA codes that passed through its network,” according to Bloomberg Businessweek, in their report on the breach.
The most promising solution may be the emerging “passkey” standard, which eliminates the need for both passwords and authentication codes by using strong cryptographic methods to verify identity. While passkey support is still limited, major platforms including Apple, Google, and Microsoft are rapidly implementing this technology. Until passkeys become universally adopted, Americans should take immediate steps to move away from SMS-based verification for any accounts containing sensitive information, particularly financial services, email accounts, and social media platforms with personal information.
