38.4k unique visitors in the last 3 days

The Role of Telecoms’ Murky Intermediaries Highlighted by Bloomberg Article

Information shared by a whistleblower has drawn some attention to the creepy-crawlies that lurk in the dark recesses of the comms sector.

The title of a new Bloomberg article by Ryan Gallagher, Crofton Black and Gabriel Geiger conjures up the kinds of problems that many comms industry insiders have long been aware of, but have generally been reluctant to discuss.

How a Tiny Middleman Could Access Two-Factor Login Codes From Tech Giants

Every day, millions of people sign in to their email, banking app or social media accounts with both their password and a one-time login code they receive by text message. The codes often arrive with a warning: “Do not share this with anyone.” The recipients of those warnings, though, have no way of knowing who saw it before it got to them.

Written in collaboration with Lighthouse Reports, this Bloomberg article focuses on the risk of one-time passwords (OTPs) being visible to, and potentially exploited by the intermediaries that convey them. It is an important topic, but it should also be seen as a specific example of a more general challenge. The public and legislators know the names of the big brand telcos that provide services to the public. They know nothing about the many smaller businesses that provide the ‘wiring’ which is essential to the lowest cost routing of messages and calls. The world is largely ignorant of the choices made by businesses who generate large volumes of messages and calls but only care about keeping the cost as low as possible, without any regard for whether these communications have been conveyed securely. The risk to the public is rarely examined, and never properly evaluated. This Bloomberg article is only chipping away at the outer extremities of this issue.

Intermediaries may assert that they comply with all rules and regulations, but the awareness of their business practices is so low, and the enforcement of obligations so weak, that anti-fraud experts working for comms providers with integrity will complain that much of the industry is lawless. They further complain that data protection law and contractual clauses prevent them from revealing what they know. Such remarks are often made sotto voce because they are considered eminently true but unprovable in a court of law. The overuse of OTPs sent by A2P SMS, and the consequent evolution of crime factories dedicated to intercepting these OTPs, may have prompted the public and the authorities to take a closer look at the role of intermediaries. A wider cross-section of people is beginning to understand how often communications relies on trust, and how little is done to ensure the trustworthiness of businesses involved in handling communications.

The Bloomberg article is grounded in data supplied by a whistleblower.

An industry whistleblower provided Bloomberg Businessweek and the investigative newsroom Lighthouse Reports with nonpublic phone networking data related to a batch of about 1 million messages carrying two-factor authentication codes sent during June 2023. Each one passed through the hands of an obscure Swiss outfit named Fink Telecom Services. The company and its founder have worked with government spy agencies and surveillance industry contractors to surveil mobile phones and track user location. Cybersecurity researchers and investigative journalists have published reports alleging Fink’s involvement in multiple instances of infiltrating private online accounts.

It is natural that the journalists responsible for this article would focus on hard facts, and there is nothing harder than obtaining “a cache of almost 100 million data packets from a phone industry source”, as stated in the associated piece on the website of Lighthouse Reports. Nevertheless, this is a tiny drop in an ocean of insecure communications. I routinely hear stories from industry insiders about businesses using cheapskate providers of comms services that cut corners and consequently put the general public at risk. Sometimes insiders encourage me to run stories that I have to refuse because publication would be an invitation to sue Commsrisk for defamation. This Bloomberg article provides a rare example of the naming and shaming of businesses that have used overly cheap comms services without caring about the potential harm to ordinary phone users.

Given these alleged connections to security breaches, the data showing Fink’s continued access to such messages “is a shocking example that shows why companies should not be sending account authentication or login codes by text message,” says Pat Walshe, a privacy expert. “Technology companies are not doing good-enough due diligence on their own supply chain.”

That is pretty strong criticism from a guy who was previously the Director of Privacy for the GSMA. I am not going to go into detail about the claims made in the article about Andreas Fink and his business because I have enough stress dealing with the threats I have received from Carter-Ruck, a notorious firm of libel lawyers, on behalf of the scumbags who run Global Voice Group (GVG). Nevertheless, it is worth reiterating the businesses being held accountable by this Bloomberg article.

The senders include Google, Meta and Amazon.com, several European banks, popular apps such as Tinder and Snapchat, the cryptocurrency exchange Binance and encrypted chat platforms Signal and WhatsApp. The intended recipients were located in more than 100 countries across five continents.

Lighthouse Reports did have some good news to share, but it also highlights that other big businesses are refusing to make the same commitment.

Following our findings, Meta said that it had notified its partners they shouldn’t subcontract or otherwise engage with Fink Telecom.

Crucially, they also observed how the risks created for the public are endemic to the way the communications industry currently functions.

Fink Telecom and other such companies can offer cheap routing in part because of their access to multiple different countries’ “global titles” — the network access points used by telecom operators to communicate with each other. As the phone industry has globalised, a flourishing trade in leasing these global titles has evolved, one outcome of which is that companies can appear to be present in countries other than their actual base. We found Fink Telecom using global titles in Namibia, Chechnya and the UK, as well as its native Switzerland. Earlier this year the UK phone regulator banned the leasing of UK global titles to other companies, citing risks of surveillance and account cracks.

And there lies the rub. One country has taken necessary action to stop the abuse of Global Titles; all the others have not. The GSMA published a code of conduct to curb the misuse of Global Titles; no relevant business has agreed to abide by it voluntarily. Self-regulation is a busted flush, a sham promoted by scoundrels who want to profit from the concern generated by fraud but who are neither willing nor able to tackle bad actors. Actual regulation is desperately required but conspicuous by its absence, probably because regulators know almost nothing about the multitude of intermediaries, and hence remain incapable of distinguishing between those who are trustworthy and those who are not. Industry associations devote their resources to the marketing of inadequate technological quick fixes instead of discussing the root-and-branch industry reform that is really needed. Bad actors pay for access and influence, and few are willing to turn them and their money away. Some of the dark recesses of the comms industry are being brought to light. Much more remains in shadow.

The Bloomberg article on Fink and telecoms intermediaries can be found here and the Lighthouse Reports version of the story is here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email