Weak Link: Two-factor authentication is designed to harden device security and make unauthorized access even trickier for bad actors. In the imperfect world we live in, however, there’s almost always a weak link, and one popular delivery method for 2FA is no exception.
Many implementations of two-factor authentication involve sending a one-time passcode to the end user via SMS. Once entered, the user is logged in and it’s business as usual. The problem is the inherent weakness of SMS, and the fact that you really have no idea who else laid eyes on the code before it landed in your inbox.
As Bloomberg highlights, most companies outsource 2FA codes to a third party intermediary in order to save money, but trusting the wrong partner can be costly. To highlight the threat, an industry whistleblower provided Bloomberg with a batch of around one million messages containing 2FA codes that were sent in June 2023.
Each passed through a questionable Swiss company named Fink Telecom Services and contained both auto-generated login codes as well as data regarding the path from sender to recipient. The senders list is a who’s who of major tech players including Amazon, Google, Meta, Snapchat, Tinder, Signal, and WhatsApp, just to name a few.
The publication verified the data with independent experts and cross-checked it with publicly available data, and found that it looks to be legit. Fink Telecom CEO Andreas Fink told Bloomberg that legal restrictions prevent them from look at the content of the messages they process, adding that they no longer work in surveillance.
Those interested in a more foolproof solution are encouraged to consider biometric verification or a dedicated authenticator app when possible. The latter generates codes locally, either on a user’s phone or on standalone hardware, eliminating the SMS middleman.
This isn’t the first time we’ve heard of issues involving 2FA. Just last month, Valve confirmed that hackers had gained access to phone numbers and SMS 2FA records linked to most accounts. If you haven’t already, now would be a good time to change your Steam password and start using a 2FA dongle or app.
Image credit: Allison Saeng, Ed Hardie
Discover more from Gautam Kalal
Subscribe to get the latest posts sent to your email.