
In 2023, millions of people across the globe received one-time login verification codes from companies such as Google, Meta, Amazon, and Binance. According to an investigation by Bloomberg Businessweek and Lighthouse Reports, many of these messages passed through the hands of a little-known Swiss firm—Fink Telecom Services. Despite employing fewer than ten people, this modest operation had access to, and potentially visibility into, sensitive data belonging to hundreds of thousands of users.
The SMS-based two-factor authentication mechanism, in which a confirmation code is sent via text, has long been a point of concern in digital security circles. The issue lies in the fact that companies rarely dispatch these codes directly. Instead, they are funneled through a complex web of intermediaries—ranging from major telecom providers to obscure entities offering low-cost routing. Within this convoluted system, the original sender has no guarantee of who is ultimately responsible for handling the message before it reaches its destination.
In June 2023, roughly one million such messages—including one-time passcodes—transited through Fink Telecom’s infrastructure. These included communications from major tech giants, European banks, the messaging apps Signal and WhatsApp, and the cryptocurrency exchange Binance. The recipients were spread across more than 100 countries. The information was supplied to journalists by an anonymous whistleblower and subsequently verified by independent technical experts.
Interest in Fink Telecom was far from coincidental. Its founder, Andreas Fink, had previously worked with state agencies and surveillance contractors. According to media reports and expert analyses, companies linked to Fink were involved in attacks on user accounts, intercepting SMS codes to gain access to private information.
In 2020, a wave of hacks targeting cryptocurrency wallets and email inboxes occurred in Israel. Investigations revealed that traffic was being intercepted through a global title registered to SMSRelay—another entity established by Fink. Despite claims that SMSRelay ceased operations in 2016, data analysis suggests its infrastructure remained active until at least 2023.
Journalists further uncovered that Fink Telecom either owned or leased global titles—specialized technical identifiers used for inter-network communication—in Switzerland, the United Kingdom, Namibia, and the Chechen Republic. In 2023, the international telecommunications body GSMA issued guidelines advising against leasing such identifiers, citing high abuse risks. Regulators in the UK have since banned these practices.
In correspondence with reporters, Fink denied the allegations, asserting that his company no longer engaged in surveillance-related activities and merely offered technical services without analyzing message content. However, as the investigation shows, the multilayered subcontracting model renders such claims nearly impossible to verify. Companies generating the codes—such as Google and Meta —do not work directly with Fink Telecom; their partners delegate tasks further down the chain, often without thoroughly vetting the recipients.
As a result, major corporations find themselves unable to guarantee the security of messages intended to protect user accounts. Google representatives confirmed a gradual transition away from SMS toward QR codes and other methods. Signal has already implemented a PIN-based safeguard for new device activation. Meta has informed its partners that collaboration with Fink Telecom and its subsidiaries is strictly prohibited.
Despite the SMS authentication market being valued at $30 billion and widely adopted worldwide, experts increasingly regard the model as outdated and fraught with risk. Minimal oversight, low barriers to entry, and inherent technical vulnerabilities allow even the smallest operations to intercept messages. Meanwhile, security system designers continue to rely on the hope that a simple line—“Do not share this code”—is a sufficient defense.