Wireless Carrier Injects Ads Into Two-Factor Authentication Texts

from the deeper-down-the-rabbit-hole dept

Not only are countless systems and services not secure, security itself often isn't treated with the respect it deserves. And tools that are supposed to protect you from malicious actors are often monetized in self-serving ways. Like that time Facebook advertised a "privacy protecting VPN" that was effectively just spyware used to track Facebook users when they weren't on Zuckerberg's platform. Or that time Twitter was hit with a $250 million fine after it chose to use the phone numbers provided by users for two-factor authentication for marketing purposes (something Facebook was also busted for).

SMS verification ads themselves are also now being exploited as a marketing opportunity. Developer Chris Lacy was recently taken aback after an SMS two-factor authentication code from Google was injected with an SMS ad:

Google confirmed to 9to5Google they didn't inject the ads, and that this was done by Lacy's wireless carrier (which he refused to reveal for privacy purposes). I've never seen a wireless carrier attempt this, and my guess is that (assuming he's in the States) this isn't one of the major three (AT&T, T-Mobile, and Sprint). It's most likely a smaller prepaid operator which, even in the wake of a more feckless FCC, faces some notable fines should the behavior get widespread attention. Both Google and Lacy say they're working with the anonymous carrier in question.

Needless to say, security experts like Kenn White weren't particularly impressed:

Ironically the ad was for VPN services, which themselves promise layers of security and privacy that often don't exist. Sent over an SMS system that security researchers are increasingly warning isn't secure enough for two-factor authentication or much of anything else. We live in an era where we prioritize monetization, but pay empty lip service to security and privacy. What could possibly go wrong in a climate like that?

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2fa, ad injection, security, sms, two factor authentication


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 1 Jul 2021 @ 6:56am

    I Inject spam, courtesy of Monty Python.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 1 Jul 2021 @ 7:25am

    So... Google's spam filter works correctly then?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jul 2021 @ 8:40am

    If the post office opened peoples letters to insert things, there would be hell to pay. Telco does the exact same thing and its business as usual.

    "...with a computer" magically making it all better once again?

    reply to this | link to this | view in chronology ]

  • icon
    t4chdi (profile), 1 Jul 2021 @ 9:13am

    Go ask that VPN provider for comments

    Go after the advertiser. When they realize the money spent backfired on them, they will stop use that channel for ads.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jul 2021 @ 5:08pm

      Re: Go ask that VPN provider for comments

      Get Avira VPN and antivirus suite, and protect yourself from injection attacks like this one!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jul 2021 @ 9:22am

    "Hey - why don't extract that code in transit, then make them click on our advertising link to reveal it?"

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 1 Jul 2021 @ 10:09am

    'You know what never mind, basic security is fine.'

    Do you want people to be less secure by getting them to mistrust and not want to deal with two-factor authentication? Because this is how you get people to be less secure by getting them to mistrust and not want to deal with two-factor authentication.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jul 2021 @ 10:59am

    ... this isn't one of the major three (AT&T, T-Mobile, and Sprin

    ... this isn't one of the major three (AT&T, T-Mobile, and Sprint)

    Wouldn't Verizon be in that group? And T-mobile and Sprint are merged, as has been mentioned numerous times here.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jul 2021 @ 11:24am

    Wow

    Just wow...

    reply to this | link to this | view in chronology ]

  • icon
    Nastybutler77 (profile), 1 Jul 2021 @ 2:31pm

    Chris Lacy lives in Australia, so I'd imagine he uses an Australian telco.

    reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 1 Jul 2021 @ 11:11pm

      Re:

      I google searched the url that was added, I found several hits not involving this story.
      It showed up one a couple websites that appear to be Chinese language sites, that offer a number you can use to get an SMS & the number is cycled every so often.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 1 Jul 2021 @ 5:09pm

    Suddenly a bunch of light bulbs above peoples head just got a bit brighter as this event gave the real world example of things they were sure no one would ever do.

    reply to this | link to this | view in chronology ]

  • icon
    Samuel Abram (profile), 2 Jul 2021 @ 4:06pm

    All the Ken Whites…

    This is tangential, but

    I noticed there's a
    -Kenn White (as per this article)
    -Ken While (a.k.a. Popehat)
    -Ken Whyte (Canadian Library Hater)

    Yet they all seem like they wouldn't want to be in the same room together.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Sponsored Promotion
Public Money, Public Code - Sign The Open Letter at publiccode.eu
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.