Carrier suspected of injecting ads into two-factor SMS messages
An unidentified carrier in Australia is suspected of injecting advertisements into two-factor SMS messages, according to Chris Lacy, the developer of Action Launcher. The text shows a Google sign-in verification code in the Google Messages app, which funnily enough, even flagged the text as spam.
I just received a two factor authentication SMS from Google that included an ad. Google’s own Messages SMS app flagged it as spam.
This is possible because SMS messages are unencrypted, and therefore, your carrier can read all of them. Injecting advertisements into 2FA texts ensures that the end-user will actually see the advertisement, as it’s assumed they’ll need to use the code to access whatever service they are trying to log in to. While it’s absolutely a scummy move, it’s made possible because of how poorly protected SMS is. A number of employees from Google have chimed in to say that this is definitely not done by Google and that it’s likely the work of whatever carrier Chris Lacy is using. Mark Risher, Director of Product Management on Identity and User Security at Google, took to Twitter to say that “these are not Google ads and we do not condone this practice.” Furthermore, he says that Google is “working with the wireless carrier to understand why this happened and ensure it doesn’t happen again.”
To close the loop, these are not Google ads and we do not condone this practice. We are working with the wireless carrier to understand why this happened and ensure it doesn’t happen again.
