A Bloomberg investigation examines the third parties involved in the SMS login code system. And their discovery is chilling, since one of the most important players in the sector is linked to secret services and surveillance operators.
WhatsApp, Signal, Amazon, Meta, Google, Binance… all these companies and applications base the security of their users' accounts, at least partially, on a two-factor authentication system with codes received by SMS. A system that might seem remotely secure, if we didn't already know that hackers have figured out how to intercept one-time codes using various techniques like SIM swapping.
However, the problem with this type of authentication actually runs much deeper than that. This is what a Bloomberg investigation (via ZDNET) reveals about the service providers actually sending these codes via SMS. These codes are never sent directly by the brands mentioned above. Instead, all of them use the Swiss specialist in the sector in Europe, known as Fink Telecom Services.
Codes received by SMS are not a problem for the secret services
And when you dig a little deeper like our colleagues do, you quickly come across some rocks. The company does indeed have control over a highly sensitive part of mobile networks. Fink has a direct connection to the global SS7 network – the private inter-operator network that can, among other things, intercept the communications, location, and text messages of any mobile phone in circulation.
But that's not all, as Bloomberg reports: “The company and its founder have worked with government spy agencies and surveillance industry contractors to monitor cell phones and track users' locations.” And the site adds: “Cybersecurity researchers and investigative journalists have published reports alleging Fink's involvement in multiple infiltrations of private online accounts.”
So, as you can see, the codes received by SMS are actually a much less secure connection method than it might lead you to believe. Governments and intelligence agencies are likely collaborating with companies like Fink to circumvent end-to-end encryption on WhatsApp. Or even access targets' crypto wallets on Binance. All of this with the complicity of a rather controversial actor.
To truly secure your accounts with two-factor authentication, it's recommended to switch, where possible, to a solution based on physical keys. Although it's worth noting that not all online services allow this yet.
0 Comments