SMS is widely regarded as an insecure form of two-factor authentication, and another example of this has just emerged. A carrier looks to be injecting ads into the Google verification code used to sign in to services like Gmail.
Update 6/29: Google issued the following statement to us today:
“These are not our ads and we are currently working with the wireless carrier to understand why this happened.”
Google confirms that the “SMS AD” did not originate from its own advertising network. Meanwhile, it’s working with the wireless carrier in question to find out what occurred. Lacy has decided “not to state the carrier for privacy reasons,” and Google did not share that information either.
Original 6/28: Action Launcher developer Chris Lacy today tweeted how his Google verification code — which starts with “G-” — featured an “SMS AD.” The advertisement — for a VPN — includes a quick message and short URL.
For those that immediately suspect this is just a phishing attempt, the verification code is legitimate and was requested by Lacy to successfully verify a login attempt. Google Messages even flagged the link/message as spam.
As such, Googlers responding to the thread suspect this is an occurrence of a carrier appending an ad — note the extra spaces — into a real text message. It’s very unlikely that Google’s security teams would allow advertising into a very crucial part of the login process where end user trust is paramount.
Given the ad’s relevance to the subject of the message, some sort of targeting could be occurring, which makes this all the more suspicious. In brief testing this evening, we could not replicate the SMS ad, while there are no local reports of this occurring to other users. In some countries, like the US, Google makes use of “Verified SMS” in the Messages app to authenticate the “identity of the business that sent a message.”
Google is investigating and looking into responsible (Australian) carrier. We’ve also reached out to the company for more details and to confirm that it’s not adding “SMS ADs” into the verification code process.
On the 2-Step Verification front, Google just announced today that it’s requiring Play Store developers to enable 2SV on their accounts this year. It’s also moving users away from text messages as an account authentication method. The preferred alternative is a physical or phone security key, while the Google Prompt method is also considered safer.
Author: Abner Li
Source: 9TO5Google