We've probably all received confirmation codes via text message when trying to enter into an account. These codes are intended to function as two-factor verification, confirming our identities and preventing cybercriminals from accessing our accounts solely through a password. But who handles the SMS codes, and can they be trusted?
New findings from Bloomberg and the collaborative investigative newsroom Lighthouse findings offer insight on how and why text-based codes might put people in danger. In their investigations, both organisations stated that they got at least a million data packets from a phone company whistleblower. Individual users got the packets, which contained SMS texts with two-factor authentication codes.
You may believe that these messages are handled directly by the companies and websites with which you have an account. However, Bloomberg and Lighthouse's investigation suggests that this is not always the case. In this case, the messages went through a contentious Swiss company called Fink Telecom Services. And Bloomberg used the label "controversial" to describe Fink for a reason.
"The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location. Cybersecurity researchers and investigative journalists have published reports alleging Fink's involvement in multiple instances of infiltrating private online accounts,” Bloomberg reported.
Of course, Fink Telecom didn't exactly take that and other comments lying down. In a statement shared with ZDNET, Fink called out the article: "A simple reading of this article reveals that it presents neither new findings nor original research," Fink noted in its statement. "Rather, it is largely a near-verbatim repetition of earlier reports, supplemented by selective and out-of-context insinuations intended to create the appearance of a scandal-without providing any substantiated factual basis.”
Bloomberg and Lighthouse discovered that the senders included major tech companies including Google, Meta, and Amazon. Several European banks were also involved, as were applications like Tinder and Snapshot, the Binance cryptocurrency market, and even encrypted communication apps like Signal and WhatsApp.
Why would businesses leave their two-factor authentication codes to an outside source, especially one with a questionable reputation? Convenience and money. External contractors can normally handle these types of SMS messages at a lower cost and with greater ease than enterprises themselves. That is especially true if a company has to interact with clients all around the world, which can be complicated and costly.
Instead, firms turn to providers like Fink Telecom for access to "global titles." A global title is a network address that allows carriers to interact between countries. This makes it appear that a company is headquartered in the same country as any of its consumers.
According to Lighthouse's investigation, Fink utilised worldwide titles in Namibia, Chechnya, the United Kingdom, and his native Switzerland. Though outsourcing such messages can be convenient, it carries risks. In April, UK phone regulator Ofcom banned global title leasing for UK carriers, citing the risk to mobile phone users.
The key issue here is whether the data in the documents examined by Bloomberg and Lighthouse was ever at risk. In an interview with Bloomberg, Fink Telecom CEO Andreas Fink stated: "Our company offers infrastructure and technical services, such as signalling and routing capabilities. We do not analyse or meddle with the traffic sent by our clients or their downstream partners.
Fink further shared the following statement with ZDNET:
"Fink Telecom Services GmbH has always acted transparently and cooperatively with the authorities," Fink said. "Legal opinions and technical documentation confirm that the company's routing services are standardized, internationally regulated, and do not require authorization under Swiss telecommunications law, export control law, or sanctions legislation. Authorities were also informed that the company is in no way involved in any misuse of its services.”
In terms of outsourcing, Google, Meta, Signal, and Binance informed Bloomberg that they did not deal directly with Fink Telecom. Google also stated that it was discontinuing the use of SMS to authenticate accounts, although Signal stated that it provided solutions to SMS vulnerabilities. A Meta representative told Bloomberg that the company has warned its partners not to do business with Fink Telecom.
