As a security-conscious individual, you have likely enabled the two-factor authentication (2FA) feature on your banking apps, emails, and social media applications to safeguard against security breaches and e-banking fraud.

The purpose of the two-factor authentication or 2-step verification, is to provide a security layer in addition to your username and password. So anytime you access your banking app or email, you receive a one-time confirmation code via SMS as a double measure to prevent unauthorized access. Ordinarily, this should assure you that your account is safe.

However, an investigation by Bloomberg and Lighthouse Reports shows that 2FA codes sent via text messages are not as secure as previously assumed. In its investigation, the newsrooms revealed that the companies generate the codes, then outsource them to third-party companies or middlemen who then deliver the codes to end users.

Bloomberg said this mode of operation, done to cut costs, exposes the user to the risk of unauthorised access and potential breach. It said codes sent via SMS, which characteristically does not offer solid security, can be accessed by a third party.

“It’s possible for entities that handle such messages to see their content. But the complexity of the system means neither the sender nor the recipient can be sure exactly who’s handled them along the way,” Bloomberg reported.

The news organisation said a nonpublic phone networking data it received from an industry whistleblower contained about 1 million messages with two-factor authentication codes sent in June 2023. It said each of the codes had been routed and accessed by Fink Telecom Services, a company with a history of collaborating with government spy agencies and surveillance industry contractors.

“The data includes messages with autogenerated login codes, along with the paths the messages took as they traveled to their final destinations. The intended recipients were located in more than 100 countries across five continents,” Bloomberg reported.

According to the report, the messages were sent from tech giants such as Google, Meta, Amazon, Signal, WhatsApp, Tinder, Snapchat, Binance, and several European banks.

Bloomberg reported that while Amazon, Snapchat, and Tinder did not respond to requests for comment, Google, Meta, Signal, and Binance stated that they did not work directly with Fink Telecom. Google also admitted the insecurity of SMS-based 2-factor authentication, telling the reporters that SMS came with “many challenges and security issues” and noted that the company was moving away from using SMS to authenticate accounts.

The report further revealed that Fink Telecom’s operations rely heavily on contracts with international mobile operators, granting access to global titles. These titles function like specialized phone numbers, enabling the company to send messages across borders to mobile networks worldwide.

By leasing these global titles from telecom companies, Fink Telecom can facilitate international messaging. This arrangement also benefits the telecom operators, which generate additional revenue by renting out their unused global titles to companies like Fink.

According to Bloomberg, Andreas Fink, CEO of Fink Telecom, denied allegations of improper activities, citing legal restrictions that prevent the company from accessing the content of messages it processes. He also claimed that the company has ceased involvement in surveillance activities.

As quoted by Bloomberg, Fink stated: “Our company provides infrastructure and technical services, including signalling and routing capabilities. We do not analyze or interfere with the traffic transmitted by our clients or their downstream partners.”

In Nigeria, banks and social media apps use third-party SMS providers or aggregators to send 2FA codes to users. These third parties, like Termii, Infobip, Clickatell, and Cequens, use protocols such as SMPP to connect to mobile networks such as MTN, Airtel, among others.

Though direct cases of SMS vendors misusing 2FA codes in Nigeria have not surfaced publicly, the potential is recognised. That is why the Nigerian law criminalizes misuse, and regulators are pushing for tighter oversight and vendor accreditation.

For instance, Nigeria’s Cybercrimes (Prohibition, Prevention, etc) Act, 2015 forbids any service provider, including third-party SMS vendors, from accessing or disclosing users’ security codes without authorization.

Section 29(1) states: “Any person or organization who being a computer based service provider and or vendor does any act with intent to defraud and by virtue of his position as a service provider, forges, illegally used security codes of the consumer with the intent to gain any financial and or material advantage or with intent to provide less value for money in his or its services to the consumer shall if corporate organization be guilty of an offence and is liable to a fine of N5,000,000.00 and forfeiture of further equivalent of the monetary value of the loss sustained by the consumer.”

Meanwhile, a growing trend of SIM-swap scams has left victims losing thousands of Naira to fraudsters.

In one notable case from 2019, a victim’s MTN number suddenly displayed “invalid SIM card” and outgoing SMS and calls stopped. It was later discovered that someone in Abia State had swapped the SIM and withdrew N7,107,540 using the victim’s bank alerts tied to the number.

In January, the Katsina Police arrested four suspects for running a SIM-swap syndicate that targeted unsuspecting individuals and drained their bank accounts.

In another incident this May, an IT professional fell victim to an Etisalat SIM-swap scam after visiting an experience centre. Fraudsters quickly obtained a new SIM and withdrew N400,000 from the victim’s bank account using banking alerts linked to the compromised line.

In a recent LinkedIn article, business lawyer Aaron Cohn shed light on the dangers of SIM swap scams. According to Mr Cohn, once a SIM swap is successfully executed, fraudsters gain control over the victim’s phone number, allowing them to intercept sensitive information.

“Including two-factor authentication codes, verification messages from banks or financial institutions, and other security measures,” he said.

To stay safe, experts recommend using more secure verification methods, such as biometric verification, hardware 2FA tokens, or app-based authenticator apps that generate codes locally on the device.

They also urge users to only use banks or services with strict vendor security policies and compliance in place.