Two Factor Insecurity
How Google, Amazon, Meta and thousands of other companies leave customers vulnerable over one-time codes to save time and money
Across the world, phone networks carry billions of passwords and login codes on a daily basis. Tech companies need to keep their subscribers logged in to their apps and accounts with maximum efficiency, wherever they might be. So these security codes need to get from Silicon Valley to everywhere, as quickly (and as cheaply) as possible. For most people they are a necessary annoyance, until they are breached with damaging consequences.
Companies, including banks and Big Tech, don’t send login codes to their customers directly. This would be costly and inefficient. Instead they rely on a sprawling and opaque network of contractors and subcontractors, each of which promises to shave off a part of the sending cost in return for market share. This is what the industry calls “lowest cost routing”. The catch is that any of these middleman companies can see everything transmitted. The codes that come saying “Do not share with anyone” might in fact already have been shared with more or less anyone.
METHODS
Lighthouse obtained a cache of almost 100 million data packets from a phone industry source. The data gave a unique insight into telecom traffic passing through the network of a controversial Swiss outfit. Millions of these packets contained “A2P” (application-to-person) SMS messages. We analysed these to identify senders, recipients and type of message content.
We found millions of sensitive security codes and logins getting sent via Fink Telecom Services. The logins related to services from some of the world’s largest tech companies – including Google, Meta and Amazon; banks and crypto exchanges; dating sites and online marketplaces; and messaging apps including WhatsApp, Viber and Signal. Overall we identified over 1000 companies sending logins to their customers via the network run by maverick telecom entrepreneur Andreas Fink. The text messages we were looking at often told us the account names as well as the login codes and phone numbers.
STORYLINES
We revealed in 2023 how Fink also worked as a contractor for the surveillance industry, offering location tracking services to government agencies and spy companies worldwide. Our investigation also linked his network to the murder of a Mexican journalist, the cracking of email accounts in South East Asia and the takeover of crypto wallets in Israel – events which Fink either denied or blamed on customers of his own customers.
How do untrusted entities and surveillance contractors like Fink Telecom end up as conduits for such sensitive personal info? The answer is that tech companies outsource sending their text messages to an opaque and sprawling marketplace of large and small companies, all offering to get messages to different parts of the world quicker and cheaper than their competitors.
“There’s nothing stopping anyone from doing this work,” an industry insider told us. “Very quickly a company can be handling billions of messages.”
Fink Telecom and other such companies can offer cheap routing in part because of their access to multiple different countries’ “global titles” – the network access points used by telecom operators to communicate with each other. As the phone industry has globalised, a flourishing trade in leasing these global titles has evolved, one outcome of which is that companies can appear to be present in countries other than their actual base. We found Fink Telecom using global titles in Namibia, Chechnya and the UK, as well as its native Switzerland. Earlier this year the UK phone regulator banned the leasing of UK global titles to other companies, citing risks of surveillance and account cracks.
Following our findings, Meta said that it had notified its partners they shouldn’t subcontract or otherwise engage with Fink Telecom. But privacy advocates questioned whether tech companies are doing good-enough due diligence on their supply chain.