How One-Time Passwords Became a Treasure Trove for Telecom Middlemen
By In Depth Reports
“Your code is 438021. Do not share it with anyone.” But what if it has already been shared—long before you saw it?
A global investigation by In Depth Reports reveals a gaping hole in the security infrastructure of some of the world’s biggest tech firms. Companies like Google, Meta, Amazon, and hundreds of others entrust one-time passwords (OTPs) to obscure telecom vendors. These codes are supposed to safeguard user accounts. Instead, they are regularly exposed to shadowy intermediaries who can see, intercept, or abuse them.
At the heart of this broken system lies a controversial Swiss company: Fink Telecom Services.
Inside the Global Machine That Sends You One-Time Codes
Every second, mobile networks transmit countless SMS messages. An increasing number of these are A2P (Application-to-Person) messages. They include bank verifications, login approvals, and two-factor authentication codes.
But these messages don’t travel directly from a bank or tech company to the user. Instead, they pass through a tangled web of aggregators, resellers, and regional telecom contractors. Each promises to deliver the SMS slightly cheaper than the next. It’s a process known in the industry as **”lowest cost routing.”
The result? Your code might pass through a dozen entities across the globe, many of whom you’ve never heard of—and who face little or no oversight.
“There’s nothing stopping anyone from doing this work,” an industry insider told In Depth Reports. “Very quickly, a company can be handling billions of messages.”
The Fink Files: An Exclusive Leak of 100 Million Packets
In collaboration with Lighthouse, a nonprofit data-forensics organization, In Depth Reports gained access to a leaked dataset of nearly 100 million telecommunications packets.
This data, routed through the infrastructure of Fink Telecom Services, contained millions of OTP messages. They originated from more than 1,000 global companies, including:
- Meta (Facebook, WhatsApp, Instagram)
- Amazon
- Banks and financial institutions
- Crypto exchanges
- Encrypted messaging services like Signal and Viber
The text messages often included the recipient’s phone number, login codes, and even account usernames—all transmitted through a company tied to surveillance and hacking scandals.
Who Is Andreas Fink? From Engineer to Surveillance Enabler
The man behind the network is Andreas Fink, a telecom entrepreneur known for pushing the limits of regulation.
In 2023, an investigation by Lighthouse revealed that Fink Telecom offered real-time location tracking services to governments and private surveillance firms. His infrastructure has been tied to:
- The murder of a Mexican journalist
- The hacking of Southeast Asian email accounts
- The theft of cryptocurrency wallets in Israel
Fink denies direct involvement, claiming that these abuses were committed by “the customers of my customers.”
Yet, Fink Telecom remains deeply embedded in the infrastructure of OTP delivery worldwide.
The Game of Global Titles: Hiding in Plain Sight
How does a Swiss company gain access to message traffic from Big Tech?
Fink Telecom leases global titles (GTs)—network identifiers typically assigned to mobile operators. These titles allow Fink to appear as if operating from countries like Namibia, Chechnya, and the UK, even if its servers are in Switzerland.
This masking trick lets Fink avoid scrutiny, win contracts, and outcompete rivals by appearing more “local” than it is. In fact, the UK telecom regulator banned global title leasing earlier this year, citing national security and surveillance concerns.
When One Code Opens Everything
Leaked OTPs aren’t theoretical risks. They lead to real-world damage:
- In 2021, hackers used a stolen OTP to wipe out a cryptocurrency wallet.
- In another case, an OTP leak allowed attackers to breach a journalist’s Gmail, revealing confidential sources.
Despite this, OTPs are still the default method of two-factor authentication for millions, especially in countries with low internet penetration.
“SMS-based OTPs were never built for secure transactions,” says cybersecurity expert James Lowry. “They’re just easy and cheap.”
Big Tech’s Silent Compliance
Following Lighthouse’s revelations, Meta told reporters that it warned its partners not to engage with Fink Telecom.
But critics say the company’s response is too little, too late.
“These are trillion-dollar corporations relying on third-tier vendors with surveillance histories,” says Caitlin McDermott, a privacy researcher at Privacy Now. “Where was the due diligence?”
Google, Amazon, and others have declined to respond to specific questions about their OTP delivery chains.
The Wild West of Telecom Security
The SMS delivery ecosystem remains opaque. There is no mandatory public registry of who handles your OTPs. No unified global standard for vetting subcontractors. And virtually no penalties for data leakage.
“It’s a regulatory void,” says telecom policy analyst Naveed Ahmad. “Everyone assumes someone else is responsible.”
A Call for Accountability
This investigation makes one thing clear: the weakest link in digital security isn’t the users, but the system supposed to protect them.
- Tech companies must audit their vendors and provide transparency about routing.
- Regulators must enforce disclosure and vetting of subcontractors handling sensitive traffic.
- Users must demand alternatives to insecure SMS verification.
Until these changes happen, one-time passwords will remain vulnerable—not because we shared them, but because someone else already did.