Why Carriers Using Google's 2FA SMS Messages To Show Ads Is A Problem

SMS text messages are often used by apps/websites to send two-factor authentication codes, and unfortunately, it looks like one carrier is hijacking Google 2FA texts to force advertisements on people. The issue appears to be limited to one carrier in Australia, but regardless, it's not something that should have happened in the first place.

Two-factor authentication (often referred to as 2FA) is one of the best features someone can use for any online account. When logging into a 2FA-backed account, users are sent a random code that has to be entered before they gain access — even if they have the correct password. This code is only retrievable via a text message or dedicated 2FA app, so unless someone has the phone with that text or app, the account is inaccessible.

Related: How Safe Is Two-Factor Authentication?

Unfortunately, one pesky carrier is abusing these 2FA texts to force ads on users. On June 29, developer Chris Lacy shared a screenshot of a 2FA code he received from Google. Following the code, the text showed "SMS AD: Keep the hackers at bay, get a VPN today" — followed by a URL to the VPN being advertised. Lacy notes that the Google Messages app flagged the text as spam even though it came from a legit Google 2FA number, resulting in a confusing situation all around. A Google employee later responded to this situation, saying, "These are not Google ads and we do not condone this practice. We are working with the wireless carrier to understand why this happened and ensure it doesn't happen again."

It should go without saying, but injecting ads into 2FA codes isn't something that any carrier should be doing. 2FA codes exist to get people into their accounts and nothing more — it's not an open invitation for another company to advertise to someone. The possibility is technically there because SMS text messages are unencrypted and can be read by carriers, but that doesn't make it right.

It's entirely possible this ad was a fluke and wasn't intended to be in the 2FA text, but if it wasn't, there's no telling how far these advertisements could go. If a carrier sees someone is getting a 2FA code from their insurance login, they could use that to target someone with an ad from another provider. Furthermore, if 2FA texts with ads get marked as spam by Google Messages, that's bound to result in people not seeing their codes and having trouble getting into their accounts. In every situation, it's a bad move that cannot become the norm for carriers in Australia, the U.S., or any other country.

Thankfully, there's currently no evidence that this has become an industry standard. Google is clearly against the text Lacy received, no other examples have been shared, and Google will likely do everything it can to make sure this particular carrier doesn't do this again. Let's hope that's what actually happens, because a world in which ads are the norm in 2FA text messages is not one to be excited about.

Next: Is Brave Secure Search Better Than Google?

Source: Chris Lacy, Mark Risher

https://ift.tt/3jrA9Bu
July 01, 2021 at 12:30AM