Checklist 428: Avoiding SMS for 2FA and a Plot Twist for 23andMe

Millions of 2FA Codes at Risk: Why SMS-Based Security Is No Longer Safe

For years, cybersecurity experts—including those on The Checklist podcast—have warned that SMS-based two-factor authentication (2FA) is fundamentally insecure. A new report from Bloomberg BusinessWeek, based on whistleblower disclosures, vividly illustrates why that caution remains more urgent than ever.

According to Bloomberg, a whistleblower provided phone networking data on approximately 1 million SMS-based 2FA codes transmitted during June 2023. These messages were handled by a relatively unknown Swiss company named Fink Telecom Services, which has alleged ties to government spy agencies and surveillance contractors.

Fink’s founder, when confronted by Bloomberg, would neither confirm nor deny that his company processed the 2FA codes—raising fresh questions about the security of such messages.

The report highlights the systemic flaws of SMS-based 2FA:

“When companies generate messages with one of these so-called two-factor authentication codes, they almost never send them directly. Instead they outsource the job, passing the codes through a thicket of intermediaries… It’s possible for entities that handle such messages to see their content.”

The companies using SMS-based 2FA are hardly minor players. The list reportedly includes Google, Meta, Amazon, Signal, WhatsApp, Binance, and popular platforms like Snapchat and Tinder—with messages destined for recipients in over 100 countries.

While Google, Meta, Signal, and Binance told Bloomberg they don’t work directly with Fink Telecom, critics argue this does little to reassure users. Google claims it is “moving away from SMS for 2FA,” while Signal said it adds a PIN protection feature to mitigate SMS vulnerabilities. Meta says it has reminded partners to avoid insecure providers like Fink going forward. Amazon, Snapchat, and Tinder did not comment.

The larger issue remains: SMS is an outdated, insecure technology vulnerable to interception and manipulation. As ZDNet advises:

“Don’t choose the SMS option. Instead, use a physical security key or an authenticator app such as Microsoft Authenticator or Google Authenticator.”

An even stronger solution is passkeys, says 9to5Mac:

“Face ID or Touch ID is used to locally confirm your identity and no password is sent to the site or app.”

Ultimately, The Checklist reminds listeners: while SMS 2FA is “better than nothing,” it is no longer good enough in today’s threat landscape. If given the choice, always select app-based authentication or hardware-based solutions.

Plot Twist: 23andMe’s Founder Reclaims the Company After Bankruptcy Drama

The saga of DNA testing giant 23andMe took an unexpected turn this week, as its founder and former CEO, Anne Wojcicki, emerged as the surprise buyer of the embattled company—reclaiming control through her nonprofit, TTAM Research Institute.

Just weeks ago, on The Checklist podcast, it seemed that pharmaceutical firm Regeneron would acquire 23andMe. The plan was to preserve the company’s operations and staff while ensuring no further loss of sensitive user data. As Engadget reported, “Regeneron had previously planned to keep on all of [23andMe’s] employees and continue offering consumer DNA testing kits.”

However, in a courtroom twist, Wojcicki’s nonprofit submitted an unsolicited $305 million bid to reclaim her former company. According to The Wall Street Journal (via Engadget), a bankruptcy judge allowed the bidding to reopen—on the condition that Regeneron would need to raise its offer by at least $10 million. Regeneron declined, leaving the door open for Wojcicki’s purchase—pending final court approval.

Assuming the sale proceeds, Wojcicki’s return signals a back-to-basics approach with an emphasis on data privacy—a key concern after past breaches exposed millions of customer records.

Per Engadget, the TTAM Research Institute has publicly committed to the following protections:

• Honor existing 23andMe policies that allow users to delete their data and opt out of research—“in perpetuity.”
• Prohibit sale or transfer of genetic data in any future bankruptcy or change of ownership—unless the buyer adopts equivalent privacy standards.
• Create a Consumer Privacy Advisory Board within 90 days of closing the deal.
• Increase transparency about data protection practices.
• Provide two years of free Experian identity theft monitoring to customers.
• Email all customers in advance of the sale to outline privacy protections and explain how to delete their data or opt out of research.

For privacy-conscious users, The Checklist reminds listeners: you don’t have to wait. The notes from Episode No. 417 detail how to download your 23andMe data, delete your account, destroy your DNA sample, and withdraw research consent.

While the court’s final approval is still pending, for now it appears that Anne Wojcicki is poised to retake the reins at 23andMe—with the goal of rebuilding trust and tightening safeguards around millions of customers’ genetic data.