For a long time, getting a one-time passcode (OTP) by text message was seen as a safe way to protect online accounts. This extra step, called two-factor authentication (2FA), added a layer of security on top of a password. Banks, email services and social media platforms all promoted it as a shield against hackers. But today, that protection is not as reliable as we all once believed.
A
Bloomberg investigation, carried out with Lighthouse Reports, has shown how vulnerable text-based 2FA really is. The report found that millions of OTPs for services like WhatsApp, Gmail, Signal and Tinder were secretly rerouted through the systems of a Swiss surveillance company. More than a million codes were intercepted, proving that criminals can exploit weaknesses in telecom networks on a massive scale. In other words, these security codes are already being stolen and they are not just theoretically at risk.
This problem adds to existing threats like SIM-swapping and phishing which have long been used to hijack phone numbers and trick users. Experts say the evidence is clear: people and organisations should stop relying on SMS for account security. Instead, stronger options like authentication apps, hardware keys, or biometric methods (such as fingerprint or face unlock) offer far better protection against today’s cybercriminals.
Weaknesses of SMS-based 2FA
SMS one-time passwords (OTPs) are still widely used because they are cheap and convenient. But experts warn that they are riddled with loopholes that criminals know how to exploit. The Bloomberg investigation is only the latest reminder of how insecure this method really is. Here are the main risks:
SIM-swapping Attacks
Fraudsters convince, or bribe, telecom staff (mostly working at the mobile operator’s service centre or gallery) to move a victim’s phone number to a new SIM card. Once that happens, every OTP meant for the victim goes straight to the criminal’s phone.
Malware that Steals OTPs
Some malicious apps, especially those downloaded from outside official app stores, can secretly forward OTPs to attackers. Certain malware on Android is designed specifically to collect these codes.
Exploiting the SS7 Network
Mobile networks still rely on an old system called SS7 (signalling system 7-SS7 is a set of telephony signalling protocols developed in the 1970s) which can be manipulated to intercept or redirect text messages. It is technically advanced but increasingly within reach of cybercriminals.
Phishing for Codes
Fake websites or login pop-ups trick users into typing in their OTPs. Since these codes expire quickly, attackers use automated tools to capture and use them in real time.
Surveillance and Rerouting
As Bloomberg and Lighthouse Reports uncovered, some telecom carriers and surveillance firms have systems that can scoop up OTPs on a large scale, sometimes before they even reach your phone.
Device Theft or Cloning
If someone steals your phone or clones your SIM, SMS-based 2FA becomes useless. Unlike authentication apps or hardware tokens, text messages are not securely tied to a single device.
Rise of MFA as a Safer Alternative
Multi-factor authentication (MFA) is a stronger, more modern form of account protection that goes beyond SMS codes. Instead of just a password and a text message, MFA uses methods that are far harder for criminals to steal or fake.
Authenticator Apps
Apps like Google Authenticator, Microsoft Authenticator or Authy generate security codes directly on your phone. These codes never travel through insecure mobile networks and can work even without internet access.
Push Notifications
Services from Google, Microsoft and Apple can send login approval requests straight to your phone. You simply tap ‘Yes’ or ‘No’, and many apps also show details like the location or device trying to log in, making it easier to spot fraud.
Hardware Security Keys
Devices such as YubiKey (a hardware authentication device from Yubico) or Titan Security Key (FIDO-compliant security token developed by Google) act like digital padlocks. Even if hackers know your password, they cannot get into your account without the physical key plugged into your device.
Biometric Authentication
Fingerprint scans and facial recognition provide an extra layer of security unique to you, something SMS messages cannot match. Almost all mobile devices support fingerprint or face unlock.
These methods create a secure, encrypted link between your device and the service-provider. That makes it nearly impossible for criminals to intercept, reroute or copy your login codes.
Which Services Support MFA?
The good news is that most big platforms now let you use stronger options than SMS for two-factor authentication.
- Google: Supports authenticator apps, push notifications and hardware security keys.
- Microsoft: Offers app-based codes, push approvals and hardware tokens.
- Apple: Uses device-based approvals across your trusted Apple devices.
- Meta (Facebook, Instagram, WhatsApp): Works with authenticator apps and some hardware keys.
- X (Twitter): Allows authenticator apps and hardware keys, but has limited SMS 2FA for some users.
- E-commerce sites: Support authenticator apps for added protection.
- Banks and fin-tech apps: Increasingly use biometrics (like fingerprint or face unlock) or app-based verification in their mobile apps.
Switching from SMS to app-based or hardware MFA usually takes just a few minutes in your account settings, but it gives you far stronger security against hackers.
Protecting Yourself While SMS Is Still in Use
Not every service lets you switch off SMS-based 2FA yet. This is especially true for many banks and government systems. Until more secure options become standard, you can take a few steps to reduce your risk:
- Secure your number: Ask your mobile provider to add a SIM PIN or a porting lock so fraudsters cannot easily move your number to another SIM card. You can check if your mobile operator allows you to change the default PIN (the most common default PINs are 1234, 0000, or 1111) through SIM lock settings on your device. However, remember, if you enter an incorrect PIN multiple times, then your SIM will be locked and you need to contact your operator to obtain the PUK (personal unblocking key) code to unlock the SIM.
- Be careful with links: Watch out for phishing attempts and always double-check website addresses before entering passwords or codes.
- Avoid shady apps: Do not install apps from unknown sources, as some can secretly read your SMS messages.
- Use safe devices: Enter OTPs only on devices you trust.
- Keep an eye on accounts: Enable login alerts and regularly check for unusual activity.
Most importantly, turn on stronger MFA options—like authenticator apps, hardware keys or biometrics—the moment they are available and remove SMS OTPs as your default.
The Bloomberg-Lighthouse Reports investigation shows that these risks are not just theoretical. Over a million text-message codes have already been intercepted, proving that SMS authentication cannot be relied on for protecting important accounts.
Cybersecurity experts expect SMS OTPs to be gradually phased out in the coming years. New standards like fast identity online 2 (FIDO2) and web authentication (WebAuthn) are paving the way for password-less logins secured by hardware keys and biometrics. Until that future arrives, the safest step you can take is to enable MFA wherever possible.
SMS-based two-factor authentication once played an important role in online security. But today, it has become one of the weakest links. SIM-swapping, malware, outdated telecom systems, phishing and even large-scale surveillance have turned text-message codes into a liability instead of a defence.
The Bloomberg investigation makes this crystal clear: attackers are already intercepting millions of OTPs. Convenience aside, SMS codes can no longer be trusted to keep sensitive accounts safe.
For individuals, the priority should be to switch immediately to stronger protections like authenticator apps, hardware keys, or biometric login—especially for vital accounts such as email, banking and cloud storage. Organisations also need to speed up the move away from SMS-based security.
In today’s world, where digital identity is everything, relying on a simple text message is no longer an option.
Stay Alert, Stay Safe!
