Carrier Caught Injecting 'SMS AD' Into Google Verification Code Message

An anonymous reader quotes a report from 9to5Google: SMS is widely regarded as an insecure form of two-factor authentication, and another example of this has just emerged. A carrier looks to be injecting ads into the Google verification code used to sign in to services like Gmail. Action Launcher developer Chris Lacy today tweeted how his Google verification code -- which starts with "G-" -- featured an "SMS AD." The advertisement -- for a VPN -- includes a quick message and short URL. For those that immediately suspect this is just a phishing attempt, the verification code is legitimate and was requested by Lacy to successfully verify a login attempt. Google Messages even flagged the link/message as spam. As such, Googlers responding to the thread suspect this is an occurrence of a carrier appending an ad -- note the extra spaces -- into a real text message. It's very unlikely that Google's security teams would allow advertising into a very crucial part of the login process where end user trust is paramount.

Google issued the following statement to us today: "These are not our ads and we are currently working with the wireless carrier to understand why this happened." Google confirms that the "SMS AD" did not originate from its own advertising network. Meanwhile, it's working with the wireless carrier in question to find out what occurred. Lacy has decided "not to state the carrier for privacy reasons," and Google did not share that information either.

Will Google Brush This Aside?

[Toad-san]

Some people are VERY unhappy about this:

https://www.androidauthority.c... [androidauthority.com]

https://9to5google.com/2021/06... [9to5google.com]
[quote]Google is investigating and looking into responsible (Australian) carrier. We’ve also reached out to the company for more details and to confirm that it’s not adding “SMS ADs” into the verification code process.[/quote]

Re:

[bhcompy]

People *should* be unhappy about this. It's untenable. If my carrier did that they'd be my former carrier by the end of the day

Re:

[Ol Olsoc]

People *should* be unhappy about this. It's untenable. If my carrier did that they'd be my former carrier by the end of the day

Meanwhile, If I housclean mt Browsers and relog in manually Google goes DEFCON 5 on me.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ol Olsoc]

Meanwhile, If I housclean mt Browsers and relog in manually Google goes DEFCON 5 on me.

The lowest level of defense preparedness?

Well, they haven't launched the nuc tipped missiles yet, so yeah.

Re:

[EvilSS]

Meanwhile, If I housclean mt Browsers and relog in manually Google goes DEFCON 5 on me.

The lowest level of defense preparedness?

Well, they haven't launched the nuc tipped missiles yet, so yeah.

Why would Google have missiles tipped with Intel NUCs?

Re:

[Ol Olsoc]

Why would Google have missiles tipped with Intel NUCs?

I think the world is running out of acronyms and initialisms, amirite?

Re:

[the_B0fh]

Defcon goes from 1-4. So, 5 would be so unprepared that... I don't know, I can't even top that. Or bottom that...

Re:

[mjwx]

People *should* be unhappy about this. It's untenable. If my carrier did that they'd be my former carrier by the end of the day

The problem is, there are very few carriers to actually choose from. In Australia and here in the UK even though there are a few MVNOs (Mobile Virtual Network Operators) there are only 3 or 4 networks (Telstra, Optus, Vodafone in Oz, EE, O2, Vodafone and Three). So ultimately you're limited in choice. However at least all networks are interoperable, I can take my existing phone on EE and port it to any other network, in the US you're even more limited as phones are locked to a single carrier, by differing t

Re:

[Jadecristal]

In the US, I’d think that this could reasonably be argued as both “wiretapping” and fraudulently altering message traffic by a common carrier.

One hopes AU has similar laws that allow for a prompt, very hard, slap-across-the-face to the company, preferably with a fine large enough pour encourager les autres.

Re:

[Mattcelt]

Why, in 2021, are we even thinking about, let alone using, SMS?

FTFY.

Because it's free (to the carrier), ubiquitous, and no company has yet managed to monopolise the next-gen alternative.

(Oh, and it's unencrypted, so governments love SMS and heavily encourage its continued use.)

Re:

[Cederic]

Not only ubiquitous but also doesn't require me to install a data slurping app on my phone, and I can't be banned for daring to disagree with the political cause du jour.

Re:

[Mattcelt]

Also true!

Re: Will Google Brush This Aside?

[dhrabarchuk]

Google is only upset because they didn't think of it.

Re:

[barc0001]

??? What does Google have to do with this other than it was their message that happened to be injected by the carrier? Are you suggesting they buy the Australian wireless service and fire everyone who had anything to do with this as an object lesson to others? Because that's about all they could do.

Re:

[ChunderDownunder]

No, they can contact the watchdog.

https://www.tio.com.au/making-... [tio.com.au]

Re:

[Rosco P. Coltrane]

Funny how people get their pants in a knot over SMS ads from cellphone carriers, yet let Google put them under constant hyper-intrusive surveillance and bombard them with ads on the net. The latter is just as intolerable as the former to me, and should be illegal also.

Miffed

[Lab Rat Jason]

Google is just miffed that they didn't think of this first.

Re:

[timeOday]

Google inserting an ad into their own message would be different anyways, since they are the sender. A middleman interjecting between sender and receiver is different. Websites' adoption of SSL was hastened by the desire to keep ISP's out of the content modification racket, but SMS has no such protections.

Re:

[TigerPlish]

Google is just miffed that they didn't think of this first.

They can't. SMS is a carrier thing, not a "provider" thing.

I mean, technically yes, Google *could* spam your number, but point is the carrier also can and Google can't do a damn thing about it. (Or isn't legally able to - I dunno, I"m not a lawyer and this is deep waters)

I have to say, carrier-based SMS ads is as underhanded as it gets. You imagine if back in the day, the hold music was ads instead of lo-fi renditions of long-dead music? This is the same thing.

Stop it with the ads already. They were an

Re:

[klossner]

Imagine if back in the day, the hold music was ads instead of lo-fi renditions of long-dead music?

That's not my imagination. [americancreative.com]

Re:

[TigerPlish]

That's not my imagination.

Oh hell no.

And then there's the security implications everyone's mentioning.

On hold ads? Really? I tried to think up the most obnoxious thing, and something that bad exists.

Anyone who uses that on me will lose me as a customer, just like I shun any gas station with ad-spewing pumps. I never go back.

Re:Miffed

[Opportunist]

Yeah, that's a great idea. C'mon, marketing 101 tells you that you MUST NOT do that.

Advertising is supposed to make the customer attach happy thoughts to the product. It wants to elicit associations with good times, makes you think of the nice things in life and wants you to associate them with the product.

Do you really want to talk about your product at a time when the person is on hold with tech support, already pissed that something isn't working and getting more and more pissed by the minute because they've been on hold for half an hour, only to hear your ad over and over which makes them more and more pissed, now not only at the company they're calling but also on you and your product?

WHICH CARRIER?

[goombah99]

Sure they all could but which one actually did it?

Re:

[Arnonyrnous Covvard]

The person who tweeted it explicitly did not want to name the carrier (for privacy reasons). The ad was for German antivirus and VPN provider Avira. I would expect only the shadiest of companies to advertise like this.

Re:

[Impy the Impiuos Imp]

They would want to confirm it was the carrier and not a rogue employee. You couldn't even assume the advertised firm was directly involved as some have reward programs for directing their advertising out.

Re:

[fermion]

Which carrier did it is actually significant as the user might be using an ad supported service and is just upset that the message was marked as spam, so perhaps it was not immediately available.

In any case this is not a general security failure of SMS. If your carrier is not trustworthy, there simply is no security. Unless this was injected by a party that was not Google, and I think they have to prove they are not the culprit, and not the carrier, it is a non issue.

Name and shame!!!

[LeonPierre]

n/t

Years since NIST said not to use SMS

[kevmeister]

I think it's been at least a decade since NIST (National Institute of Standards and Technology) issued an 800 series recommendation that SMS should not be used for two-factor authentication. This seems to never be mentioned as this technique has become standard practice. Google has at east two far stronger methods of 2FA using a smart phone that provide real security. I'm surprised that they still allow SMS to be used!

Re:

[DavidRawling]

I dunno, I get push notifications despite not really caring too much about my Google SpamMeWithAds account (I probably should care more than I do). I never signed up for MFA it was just enabled on me. Can't see a way to switch it across to my preferred method either, it was an attempted signin that said something like, "Look for the authentication message on your Android phone". Glad I wasn't without it (given again, I didn't request the change).

Re:

[DavidRawling]

OK turns out you can't disable that mode. Nor can you remove devices unless you actually have them to sign out on the device itself (tough luck if you wiped that device). And "Note: If you sign in to your Google Account on any eligible phone, Google prompt will be added as another method for 2-Step Verification." So - yeah. Forced on with a method I don't want - typical for Gurgle.

Re:

[Coren22]

You can remove Android/Chromebook devices from your Google account here:

https://myaccount.google.com/d... [google.com]

Re:

[theshowmecanuck]

Is there no way SMS could be made secure?

Re:

[Opportunist]

I don't see how.

There is no verification process in the protocol that would allow either side to verify the other. There is also no way of avoiding manipulation. Also, no cell phone would be ready to use it, which in turn means adaption would be slow, if existent, because most people wouldn't even know that it's an issue and only complain that suddenly their online banking or whatever doesn't work because the bank is acting up.

Just dump the shit and replace with something more sensible. It's not like contem

Re:Years since NIST said not to use SMS

[Ed Tice]

SMS is a 2FA that people will actually use. And it works fine for low-value targets. It prevents large-scale financial fraud. The lock on our community pool can be defeated but it's still a reasonable layer of protection. World leaders, super-rich people, and others will need better. But for us ordinary people, it's an easy and convenient way to increase security which explains the high adoption.

Re:

[AmiMoJo]

This might not be 2FA, they send these messages to verify account recovery phone numbers as well. To add an account recovery phone number you have to be already logged in to the account.

Personally I didn't use a recovery phone number because of the risk of SIM hijacking.

Use the app

[rgmoore]

This is one more reason for preferring to use something like the Google Authenticator app rather than SMS for 2FA. SMS is not remotely secure, so it's not a good choice for 2FA. At least use an encrypted communication channel!

I thoguht the carriers got

[oldgraybeard]

liability protection because they just transmitted the packets. Now they are cracking them open, injecting crap so that means they are peeking in to each packet and now are liable for what they contain.

Re:I thoguht the carriers got

[klossner]

This carrier is in Australia. US liability laws don't apply.

Re:

[bradley13]

Wherever they are, I would be surprised if tampering with the content of other people's messages is legal. That said, TFA seems very uncertain that this wasn't an ad by Google themselves.

Re:

[mjwx]

This carrier is in Australia. US liability laws don't apply.

Australia's will be a lot more stringent than the US's and you cant waive them by agreeing to a contract in Australia either (law trumps contract, any time).

The ACCC will have the telco for breakfast as privacy and advertising are two areas where they actually have teeth.

Hmm...

[fahrbot-bot]

I'd like to see someone argue that this form of tampering is basically commenting/moderating content on the part of the ISP and should lead to a loss of their Section 230 (and/or similar) protections ...

Re:

[Anonymous Coward]

FYI, it's an Australian carrier. They're not subject to American communications laws.

Re:

[ChunderDownunder]

We have our own.

the Telecommunications Industry Ombudsman oversees dodgy telcos and ISPs.

Re:

[Anonymous Coward]

Who oversees dodgy Ombudsmen?

Re:

[Mattcelt]

Who oversees dodgy Ombudsmen?

Dodgy Parliamentarians, of course.

Re:

[suutar]

You missed it by 3 minutes - see the comment by oldgraybeard

Re:

[SandorZoo]

Or maybe the carrier should be prosecuted for copyright infingment. The took someone's message, produced a derivative work, and distributed it for profit.

Can't malware do this on the receiving phone?

[Fly Swatter]

I understand why they don't want to name names yet since the phone really can't be trusted either...

What a silly world phones have become.

"privacy"

[Joe Decker]

I am quite confused, about what meaningful use of the word "privacy" is involved when the subject is a large wireless carrier.

The advertising is not the issue.

[Goatbot]

They apparently are manipulating the SMS data which implies they are reading it and capturing 2FA, passwords etc. I would think it's a MVNO that figured it would be a great investment to harvest data.

textnow is doing this with 2FA also

[NynexNinja]

textnow, an SMS messaging app, is taking 2FA incoming text messages from providers (i.e. cashapp) and changing the output message to force the user to pay for a monthly subscription before the user can be able to retrieve the sms message... so it looks like alot of these SMS providers are using 2FA incoming messages as a way to make money

Re:

[Kejiro]

That sounds more like it's the app itself though, so it's a simple solution. Don't use it.

Always assume that third-party messaging and phone apps can (and probably do) use the data in order to make money.
You suspect someone reading your sms or listening to your calls? They most certainly could.

Sometimes I miss the good old days where the only ones you had to trust were the government/carriers, but now any app you install could theoretically access the calls/sms, and in particular voice/messaging apps since

Say their name

[mauriceh]

Allowing the criminals to ide behand a wall of secrecy casts shadows of "Home much ill you pay us to make this go away?"

Sounds like Bill Cosby conviction turnover..

An the winner is...

[SJ]

Telstra.

Not sure why the article didn't want to name them, but it was Telstra. The largest of the telcos in Australia.

Re:

[EvilSS]

When the person who first tweeted about it found out it wasn't google but their carrier, they clammed up to protect their privacy.

SMS is not two-factor

[JoePete]

SMS has never been two-factor authentication. It may be a component of two-step authentication, but all it proves is that you have access to a phone number that you already provided someone. Now, if Google handed you the phone in some secure manner and there was no way of intercepting an SMS message or forwarding it somewhere, then yes, it could function like a token and qualify as possession-based authentication to complement the knowledge-based factor used when you enter a password. But otherwise, it is n