Wireless Carrier Injects Ads Into Two-Factor Authentication Texts

from the deeper-down-the-rabbit-hole dept

Not only are countless systems and services not secure, security itself often isn't treated with the respect it deserves. And tools that are supposed to protect you from malicious actors are often monetized in self-serving ways. Like that time Facebook advertised a "privacy protecting VPN" that was effectively just spyware used to track Facebook users when they weren't on Zuckerberg's platform. Or that time Twitter was hit with a $250 million fine after it chose to use the phone numbers provided by users for two-factor authentication for marketing purposes (something Facebook was also busted for).

SMS verification ads themselves are also now being exploited as a marketing opportunity. Developer Chris Lacy was recently taken aback after an SMS two-factor authentication code from Google was injected with an SMS ad:

Google confirmed to 9to5Google they didn't inject the ads, and that this was done by Lacy's wireless carrier (which he refused to reveal for privacy purposes). I've never seen a wireless carrier attempt this, and my guess is that (assuming he's in the States) this isn't one of the major three (AT&T, T-Mobile, and Sprint). It's most likely a smaller prepaid operator which, even in the wake of a more feckless FCC, faces some notable fines should the behavior get widespread attention. Both Google and Lacy say they're working with the anonymous carrier in question.

Needless to say, security experts like Kenn White weren't particularly impressed:

Ironically the ad was for VPN services, which themselves promise layers of security and privacy that often don't exist. Sent over an SMS system that security researchers are increasingly warning isn't secure enough for two-factor authentication or much of anything else. We live in an era where we prioritize monetization, but pay empty lip service to security and privacy. What could possibly go wrong in a climate like that?

Filed Under: 2fa, ad injection, security, sms, two factor authentication

AT&T Injecting Ads Into Its Wi-Fi Hotspot Data Streams

from the the-man-in-the-middle-is-a-bit-of-a-jerk dept

Everybody wants a piece of the Internet advertising pie, and many are willing to sink to the very bottom of the well of stupidity to get what they believe is owed them. For years now ISPs, hardware vendors and even hotels simply haven't been able to help themselves, and have repeatedly been caught trying to inject their own ads over the top of user browsers and data streams. This is a terrible idea for a number of reasons, ranging from the fact that ad injection is effectively an attack on user traffic, to the obvious and inherent problem with defacing other people and organizations' websites and content with your own advertising prattle.

Still, companies like Comcast, Marriot and Samsung have all been caught trying to shove their ads over the top of user data streams. When pressed, most companies are utterly oblivious (or pretend to be utterly oblivious) as to why this behavior might not be that good of an idea.

AT&T appears to be the latest company to use its perceived power over the conduit to manipulate the message. Stanford computer science and legal lecturer Jonathan Mayer recently visited the Dulles airport in DC, and found AT&T's Wi-Fi hotspots pushing a number of pop up ads, overlaying themselves on browser content:AT&T's hotspots (or at least the one in Dulles) appear to be using technology provided by RaGaPa, a startup that promotes itself as an expert in "Wi-Fi Monetization and In-Browser User Engagement Solutions." RaGaPa's tech loads the page via the hotspot, then make three edits over HTTP: the injection of an advertising style sheet, the loading a backup advertisement (in case the user's browser has disabled Javascript), and the injection of a pair of scripts for managing advertisement selection and loading. There's no mention of this practice anywhere in AT&T's terms of service.

As already noted, this type of injection is highly problematic and sets an awful precedent:

"AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service. And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements."

As Mayer also notes, this is a legally muddy area, and, worried about regulatory wrist slaps, most busted ISPs have very quickly and sheepishly backed away from the practice for fear of legal repercussions. I reached out to AT&T to see whether this is a one-off instance of stupidity on the part of AT&T or somebody else (like Dulles), or if aggressively and idiotically injecting itself into the user browsing experience is now going to be AT&T's standard operating procedure across the company's network of 30,000+ Wi-Fi hotspots.

Update: AT&T has sent us a statement indicating that this was part of a limited trial:

"Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast."

Filed Under: ad injection, advertisements, dulles, encryption, wifi hotspot
Companies: at&t, ragapa

Mediacom Puts Its Own Ads On Other Websites, Including Google & Apple

from the lawsuit-waiting-to-happen dept

A few years ago, there were stories of ISPs who wanted to use deep packet inspection technology to inject their own content, especially advertising, onto websistes. AT&T even insisted that customers would like it if AT&T did this. Public outcry and Congressional scrutiny seemed to lead many ISPs to shelve such plans... but you knew it was only a matter of time.

Broadband Reports is noting that Mediacom, who recently started using DNS redirection to feed ads (rather than 404 pages) to people who ended up on non-existent web pages (and who made its "opt-out" option not really work), has jumped into the fray and is injecting its own ads for its own services on all sorts of websites including those of Google and Apple -- two companies known for caring an awful lot about what their website looks like in each and every pixel:

This seems like a lawsuit waiting to happen. If users choose to modify websites themselves, that's one thing, but having your ISP jump into the stream and adding its own advertisements to websites seems to go way over the line of what's appropriate. And, you have to wonder how effective it is. If I ever saw something like this, it would immediately make me look for alternative ISPs.

Filed Under: ad injection, deep packet inspection, isps
Companies: apple, google, mediacom