From Frank C

If you are still using 2FA instead of biometrics (touchID or FaceID), it is time to use the biometrics!!
https://9to5mac.com/2025/06/17/a-million-sms-two-factor-authentication-codes-were-intercepted-heres-what-to-do/

A million SMS two-factor authentication codes were intercepted; here’s what to do​

Ben Lovejoy

A new report found that around a million two-factor authentication codes sent by text message appear to have been intercepted.

A tech industry whistleblower revealed that the 2FA security codes passed through an obscure foreign company with links to government intelligence agencies and companies engaged in digital surveillance …

SMS 2FA codes

Two-factor authentication (2FA) codes are intended to protect your accounts even if your login details have been obtained by hackers. If you have 2FA enabled, then after your password has been confirmed you’ll be prompted to enter a 6-digit code to prove your identify.

That code can be provided by an authenticator app with a rolling code linked to your account, or the website or app can text it to you on your registered mobile number.

The problem with the latter option is that SMS comms is completely unencrypted, so these codes are vulnerable to interception in the telecoms network.

A million codes intercepted

A whistleblower has come forward to report an interception program, providing Bloomberg with evidence to support the claim.

An industry whistleblower provided Bloomberg Businessweek and the investigative newsroom Lighthouse Reports with nonpublic phone networking data related to a batch of about 1 million messages carrying two-factor authentication codes sent during June 2023.

Each one passed through the hands of an obscure Swiss outfit named Fink Telecom Services. The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location […]

Senders include Google, Meta and Amazon.com, several European banks, popular apps such as Tinder and Snapchat, the cryptocurrency exchange Binance and encrypted chat platforms Signal and WhatsApp. The intended recipients were located in more than 100 countries across five continents.

That means a hacker – including a government agency – with access to your username and password could successfully login to your accounts even when 2FA is enabled.

Fink’s CFO claimed that the company simply provides “routing capabilities” and “no longer works in surveillance.” However, security experts have linked Fink to cases where texted 2FA codes were used to break into accounts.

9to5Mac’s Take

This is yet another example of why you should always opt to use an authenticator app rather than text messages for your 2FA codes. Safer yet are passkeys, where Face ID or Touch ID is used to locally confirm your identity and no password is sent to the site or app.

Note that Apple uses its own proprietary 2FA system in which the codes are sent to your other Apple devices. This method is safe.

Highlighted accessories

• Amazon Alexa devices

• Anker 511 Nano Pro ultra-compact iPhone charger

• Spigen MagFit case for iPhone 16e – adds MagSafe support

• Apple MagSafe Charger with 25w power for iPhone 16 models

• Apple 30W charger for above

• Anker 240W braided USB-C to USB-C cable

Photo by Gilles Lambert on Unsplash