One Million Two-Factor Authentication Codes Were Recently Exposed
One-time SMS codes are widely used as a second checkpoint in two-factor authentication (2FA) to log into everything from banking apps to email accounts. However, as I’ve written before , SMS is one of the least secure 2FA methods because it can be forged relatively easily.
It turns out that these codes can be visible to parties other than the sender (the service generating the code) and the recipient (you), increasing the risk that your accounts could be compromised by bad actors. As Bloomberg Businessweek reports , an unknown third-party telecommunications service had access to at least one million 2FA codes that passed through its network.
How Over a Million SMS Codes Were Compromised
An investigation by Bloomberg and Lighthouse Reports, based on information obtained from an industry whistleblower, found that in June 2023, Swiss company Fink Telecom Services received more than a million text messages containing 2FA codes. Acting as an intermediary between the companies generating the authentication codes and users logging into their accounts, Fink processed the messages and had access to their content.
While this is a weakness of SMS, as they are unencrypted and relatively easy to intercept, the Fink incident is particularly concerning due to the company’s involvement in the surveillance industry and the alleged hacking of user accounts.
According to the report, the messages came from senders such as Google, Meta, Amazon, Tinder, Snapchat, Binance, Signal, WhatsApp and several European banks, and were sent to recipients in more than 100 countries.
Companies typically use intermediaries to send text messages at lower rates, made possible by large contracts with multiple carriers and the ownership or lease of so-called “global names”: network addresses that facilitate communication between carriers in different countries. Maintaining privacy and security standards when working with third parties is further complicated by the fact that Fink (and other companies like it) are often subcontractors, not directly hired by the original companies.
Bottom line: If you use SMS as an authentication method, you have no guarantee that no one else will gain access to your code or use it to hack your personal accounts.
More secure alternatives to 2FA
Unfortunately, many companies continue to rely on SMS for 2FA, but other multi-factor authentication (MFA) methods should be chosen whenever possible.
The most secure options rely on WebAuthn credentials, such as biometrics or passwords, and are stored on your device or a physical security key. These methods are not transmitted unencrypted through a third party and are highly resistant to phishing attacks. Authenticator apps, such as Google Authenticator, which generate codes on your device and refresh every 30 seconds, are also more secure than SMS.
In general, the more authentication factors required to log in, the greater the security, although these factors must be independent and not all available on a single device.