Wireless Carrier Injects Ads Into Two-Factor Authentication Texts
from the deeper-down-the-rabbit-hole dept
Not only are countless systems and services not secure, security itself often isn't treated with the respect it deserves. And tools that are supposed to protect you from malicious actors are often monetized in self-serving ways. Like that time Facebook advertised a "privacy protecting VPN" that was effectively just spyware used to track Facebook users when they weren't on Zuckerberg's platform. Or that time Twitter was hit with a $250 million fine after it chose to use the phone numbers provided by users for two-factor authentication for marketing purposes (something Facebook was also busted for).
SMS verification ads themselves are also now being exploited as a marketing opportunity. Developer Chris Lacy was recently taken aback after an SMS two-factor authentication code from Google was injected with an SMS ad:
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam.
What a shameful money grab. pic.twitter.com/NeStIndR6q
— Chris Lacy (@chrismlacy) June 29, 2021
Google confirmed to 9to5Google they didn't inject the ads, and that this was done by Lacy's wireless carrier (which he refused to reveal for privacy purposes). I've never seen a wireless carrier attempt this, and my guess is that (assuming he's in the States) this isn't one of the major three (AT&T, T-Mobile, and Sprint). It's most likely a smaller prepaid operator which, even in the wake of a more feckless FCC, faces some notable fines should the behavior get widespread attention. Both Google and Lacy say they're working with the anonymous carrier in question.
Needless to say, security experts like Kenn White weren't particularly impressed:
While I generally consider myself an eternal optimist, with telco carriers, I'm a fairly jaded SOB. That said, the fact that a mobile carrier would inject ads directly into otherwise authentic SMS content (especially from a major security service endpoint) is shocking to me. https://t.co/Mt6ZXnK7og
— Kenn White (@kennwhite) June 29, 2021
Ironically the ad was for VPN services, which themselves promise layers of security and privacy that often don't exist. Sent over an SMS system that security researchers are increasingly warning isn't secure enough for two-factor authentication or much of anything else. We live in an era where we prioritize monetization, but pay empty lip service to security and privacy. What could possibly go wrong in a climate like that?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2fa, ad injection, security, sms, two factor authentication
Reader Comments
Subscribe: RSS
View by: Time | Thread
I Inject spam, courtesy of Monty Python.
[ link to this | view in chronology ]
So... Google's spam filter works correctly then?
[ link to this | view in chronology ]
If the post office opened peoples letters to insert things, there would be hell to pay. Telco does the exact same thing and its business as usual.
"...with a computer" magically making it all better once again?
[ link to this | view in chronology ]
Go ask that VPN provider for comments
Go after the advertiser. When they realize the money spent backfired on them, they will stop use that channel for ads.
[ link to this | view in chronology ]
Re: Go ask that VPN provider for comments
Get Avira VPN and antivirus suite, and protect yourself from injection attacks like this one!
[ link to this | view in chronology ]
"Hey - why don't extract that code in transit, then make them click on our advertising link to reveal it?"
[ link to this | view in chronology ]
'You know what never mind, basic security is fine.'
Do you want people to be less secure by getting them to mistrust and not want to deal with two-factor authentication? Because this is how you get people to be less secure by getting them to mistrust and not want to deal with two-factor authentication.
[ link to this | view in chronology ]
... this isn't one of the major three (AT&T, T-Mobile, and Sprin
... this isn't one of the major three (AT&T, T-Mobile, and Sprint)
Wouldn't Verizon be in that group? And T-mobile and Sprint are merged, as has been mentioned numerous times here.
[ link to this | view in chronology ]
Wow
Just wow...
[ link to this | view in chronology ]
Chris Lacy lives in Australia, so I'd imagine he uses an Australian telco.
[ link to this | view in chronology ]
Re:
I google searched the url that was added, I found several hits not involving this story.
It showed up one a couple websites that appear to be Chinese language sites, that offer a number you can use to get an SMS & the number is cycled every so often.
[ link to this | view in chronology ]
Suddenly a bunch of light bulbs above peoples head just got a bit brighter as this event gave the real world example of things they were sure no one would ever do.
[ link to this | view in chronology ]
All the Ken Whites…
This is tangential, but
I noticed there's a
-Kenn White (as per this article)
-Ken While (a.k.a. Popehat)
-Ken Whyte (Canadian Library Hater)
Yet they all seem like they wouldn't want to be in the same room together.
[ link to this | view in chronology ]