Wireless Carrier Injects Ads Into Two-Factor Authentication Texts
from the deeper-down-the-rabbit-hole dept
Not only are countless systems and services not secure, security itself often isn’t treated with the respect it deserves. And tools that are supposed to protect you from malicious actors are often monetized in self-serving ways. Like that time Facebook advertised a “privacy protecting VPN” that was effectively just spyware used to track Facebook users when they weren’t on Zuckerberg’s platform. Or that time Twitter was hit with a $250 million fine after it chose to use the phone numbers provided by users for two-factor authentication for marketing purposes (something Facebook was also busted for).
SMS verification ads themselves are also now being exploited as a marketing opportunity. Developer Chris Lacy was recently taken aback after an SMS two-factor authentication code from Google was injected with an SMS ad:
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam.
What a shameful money grab. pic.twitter.com/NeStIndR6q
— Chris Lacy (@chrismlacy) June 29, 2021
Google confirmed to 9to5Google they didn’t inject the ads, and that this was done by Lacy’s wireless carrier (which he refused to reveal for privacy purposes). I’ve never seen a wireless carrier attempt this, and my guess is that (assuming he’s in the States) this isn’t one of the major three (AT&T, T-Mobile, and Sprint). It’s most likely a smaller prepaid operator which, even in the wake of a more feckless FCC, faces some notable fines should the behavior get widespread attention. Both Google and Lacy say they’re working with the anonymous carrier in question.
Needless to say, security experts like Kenn White weren’t particularly impressed:
While I generally consider myself an eternal optimist, with telco carriers, I'm a fairly jaded SOB. That said, the fact that a mobile carrier would inject ads directly into otherwise authentic SMS content (especially from a major security service endpoint) is shocking to me. https://t.co/Mt6ZXnK7og
— Kenn White (@kennwhite) June 29, 2021
Ironically the ad was for VPN services, which themselves promise layers of security and privacy that often don’t exist. Sent over an SMS system that security researchers are increasingly warning isn’t secure enough for two-factor authentication or much of anything else. We live in an era where we prioritize monetization, but pay empty lip service to security and privacy. What could possibly go wrong in a climate like that?
Filed Under: 2fa, ad injection, security, sms, two factor authentication
Comments on “Wireless Carrier Injects Ads Into Two-Factor Authentication Texts”
I Inject spam, courtesy of Monty Python.
So… Google’s spam filter works correctly then?
If the post office opened peoples letters to insert things, there would be hell to pay. Telco does the exact same thing and its business as usual.
"…with a computer" magically making it all better once again?
Go ask that VPN provider for comments
Go after the advertiser. When they realize the money spent backfired on them, they will stop use that channel for ads.
Re: Go ask that VPN provider for comments
Get Avira VPN and antivirus suite, and protect yourself from injection attacks like this one!
"Hey – why don’t extract that code in transit, then make them click on our advertising link to reveal it?"
'You know what never mind, basic security is fine.'
Do you want people to be less secure by getting them to mistrust and not want to deal with two-factor authentication? Because this is how you get people to be less secure by getting them to mistrust and not want to deal with two-factor authentication.
... this isn't one of the major three (AT&T, T-Mobile, and Sprin
… this isn’t one of the major three (AT&T, T-Mobile, and Sprint)
Wouldn’t Verizon be in that group? And T-mobile and Sprint are merged, as has been mentioned numerous times here.
Wow
Just wow…
Chris Lacy lives in Australia, so I’d imagine he uses an Australian telco.
Re: Re:
I google searched the url that was added, I found several hits not involving this story.
It showed up one a couple websites that appear to be Chinese language sites, that offer a number you can use to get an SMS & the number is cycled every so often.
Suddenly a bunch of light bulbs above peoples head just got a bit brighter as this event gave the real world example of things they were sure no one would ever do.
All the Ken Whites…
This is tangential, but
I noticed there’s a
-Kenn White (as per this article)
-Ken While (a.k.a. Popehat)
-Ken Whyte (Canadian Library Hater)
Yet they all seem like they wouldn’t want to be in the same room together.