Hijack Threat! Ads Appear In Google Account Two-Step Verification SMS
JAKARTA - Chris Lacy, the businessman who runs Australian mobile app development company Action Launcher, Tuesday 29 June tweeted a screenshot showing Google's two-step verification tucked in with a text ad. This is horrendous, considering that this service shouldn't exist.
Google finally reacted by stating they had no role in the insertion of the ad. Google will investigate how text ads could be injected into SMS messages containing a two-step verification security code or two-factor authentication code.
The code that appears in the two-step verification is something very confidential. This code should only be known by the user and Google. If there are other parties who know the code, even insert advertisements, it would be a question mark, is security guaranteed?
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam.What a shameful money grab. pic.twitter.com/NeStIndR6q
— Chris Lacy (@chrismlacy) June 29, 2021
"It's not a Google ad, and we don't condone this practice," reads a tweet from Mark Risher, senior director of product management for Google's identity and security platform. "We are working with mobile carriers to understand why this happened and make sure it doesn't happen again."
Lacy, herself did not respond to a request for comment on her post. He also did not name the wireless carriers involved.
The netizen who asked not to be named also reported to the Information Security Media Group, stating that he also received the same message on June 25 while logging into his Google account.
He also provided screenshots and said he had a postpaid contract with Australian wireless operator Optus, a Singaporean subsidiary of Singtel. This person said that the link in the ad was redirected to antivirus vendor Avira, which sells VPN services.
To close the loop, these are not Google ads and we do not condone this practice. We are working with the wireless carrier to understand why this happened and ensure it doesn't happen again. Glad Google Messages flagged it as unsafe https://t.co/MqSZgh1uUK
— mark risher (@mrisher) June 29, 2021
An Optus spokesperson said the company "did not inject the message and was not aware of the situation but is now investigating further into this incident."
Meanwhile, an Avira spokesperson said the ads were placed by third-party advertising partners without their knowledge. Avira and advertising partners have now "ceaseed all activity with the company that posted the ad, in clear violation of the terms and conditions of the contract." Avira himself declined to name the company or its advertising partners.
"Avira supports all efforts to protect people in a connected world, including leveraging two-factor authentication where possible," said a company spokesman. "We thank the people who brought the ad to our attention."
Two of Australia's other major carriers, Vodafone and Telstra, said they did not inject ads into text messages.
Lacy also wrote that she received a two-step verification code via SMS after logging into her old Google email account. He wrote that he had not switched the account to get the two-step code through the authenticator app.
His tweet immediately sparked Google's concern. Adrienne Porter Felt, an engineering manager for Google Chrome, asked if the two-step code worked. Lacy replied that it was true.
There's a good reason why ads added to security messages are considered problematic. Lacy noted that Google's anti-SMS spam feature caught the message.
Lacy wrote in a subsequent tweet that the practice of ad injection "erodes trust in 2FA and makes 2FA messages less likely to be delivered. This is truly a disgrace."
Chris Boyd, malware intelligence analyst at Malwarebytes, writes that the way the ads are displayed raises questions about customer consent, what ad networks are involved, and what data is shared or viewed by others. It is difficult for users to determine whether the link is malicious.
"Worst case scenario, ads could lead to malicious pages or phishing sites," Boyd wrote in a blog post. "There's not much of a way to damage the reputation of using SMS codes as an added layer of security."
Mixing commercial propositions with security warnings or even just normal browsing traffic is not considered good so far.
Three years ago, a group of researchers discovered that Facebook uses phone numbers provided by users for the purpose of receiving two-step verification codes for advertising purposes. Facebook has finally allowed users to use two-step verification without having to provide their phone number.
Aside from ads, there's a strong security case for redirecting any two-step code that comes via SMS to an authenticator app.
SMS messages are unencrypted so far, and operators have full access to the content and can modify the content. But receiving a two-step verification code via SMS is better than not activating it, as it can stop account takeovers. However, receiving codes via SMS is now starting to pose a risk.
Attackers can take over the victim's phone number to receive their two-step code in a scheme known as SIM swapping or hijacking.
In these attacks, fraudsters pretend to be the official holder of the number, often by defrauding a customer service representative at the mobile operator, and then transferring the number to a different SIM card.