SMS authentication code includes ad: a very bad idea

SMS authentication codes are back in the news, and the word I’d use to summarise their reappearance is “embattled.”

I can still remember a time where two-factor authentication (2FA), authentication grids, regional lockouts, Yubikeys, and offline authentication apps simply did not exist. And if they did, people out there sitting next to you, or on the bus, or in your office, typically did not use them. If you were phished, that was it. Your account was gone unless a non-convoluted recovery process was available.

Then, two-factor authentication slowly became a thing. The uptake still isn’t great, but it’s an improvement. If you’re phished now, it (probably) won’t hurt you because the attacker also needs your authentication code. If they don’t have the code, they’ll sit and stare forlornly at your password then give up.

You’re going to ask me about the “probably” bit now, aren’t you.

Which flavor of two-factor do you prefer?

There are caveats to two-factor, and it largely depends which kind of two-factor we’re talking about.

Most people I know, and a majority of people I encounter online, use 1 of the following types:

  • SMS codes. These are sent to your mobile, via your carrier. The code is punched into the website after you enter a password, and that combined with the code lets you log in. Codes typically expire after a short period of time to ensure lots of valuable codes aren’t left lying around all over the place.
  • Authenticator apps. These are apps which generate codes between short intervals, and they work offline. Do you find yourself in a location where you have no carrier signal? It doesn’t matter with an authenticator app. I’ve known people who changed complex passwords to very basic ones they could remember when going overseas so they could still use their accounts. This isn’t great, and a common workaround in the days before apps became widely available.

Of the two, apps are recommended as the more secure approach.

What’s the problem with SMS?

You’ve had your account password stolen. You’re still safe. They can’t get in without the SMS code. You’re still safe. The attacker’s decided to contact your network provider. You’re still…wait, what? They’re on the phone to customer support, pretending to be you. You’re…possibly in a bit of trouble here. They claim to have lost your phone, and could the network please redirect authentication codes to a “replacement” device.

You’re basically doomed, sorry.

An Authenticator victory is (mostly) assured

With authenticators, there’s nobody outside of your control at the phone company being phished. This stacks the odds heavily in your favour. However, I don’t want to give you the wrong impression. Nothing is 100 precent bulletproof. Apps can occasionally fall foul to the most inventive of schemes.

Of the two, using an authenticator is still the best way to do things. So, then.


Of SMS codes and carrier ads

A developer Tweeted that they encountered a bizarre situation with a Google SMS code. Namely: the Google verification code came with an advert for a VPN service bolted on. You could even “tap to load preview”.

The initial thought was “Why is Google placing ads on these codes”? That was quickly cleared up, however. Google wasn’t responsible for this. The network carrier was to blame.

Introducing doubt into security practices

Consider that we’re talking about codes designed to make your security stronger, with whatever privacy friendly enhancements such a thing may bring. The aim of the game is retreating to your hidey-hole and watching the attacks pass by harmlessly.

The aim of the game is not to have adverts bolted on to security code texts, from carriers able to read everything. Depending on ad tech used, it’s entirely possible to make the ads “relevant” or targeted to the content of the SMS. Of all the things the ad could’ve been about, it’s interesting that it happens to be about VPNs and staying safe from hackers.

This also opens up discussions on consent, who the ad network is, what’s happening to your data/messages, and what kind of say you have in the matter. Worst case scenario, the ad leads to a rogue page or phishing site. There can’t be many more ways to damage the reputation of using SMS codes as an added layer of security.

Keep using codes, but consider migrating to apps

Bottom line: this is a bad idea, will certainly put people off an already beleaguered security measure, and shouldn’t be happening.

Authenticator apps are available on pretty much all mobile platforms at this point, and there’s never been a better moment to consider making the switch. This is not a great thing to see happening, but hopefully Google casting an “Oh dear, what are you up to” eye over the carrier will deter others from replicating. Should you happen to see ads bolted on to your SMS codes, consider politely reaching out to some of the many Google security folks on twitter.

We don’t need to see any more adverts attached to authentication codes.

*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Christopher Boyd. Read the original post at: