First of all, yes, this news is about SMS messages and no, you have not suddenly traveled in time until 2005 (I wish, who could take 16 years off at a stroke). We continue in 2021 and, although as a general rule SMS has long ceased to be a common communication tool between people, they continue to have a considerable presence in communications between companies / entities and users. From the Post Office to confirm a shipment to the Tax Agency confirming a return, these types of messages are still more present than we usually think.
A clear example of this, despite the fact that security experts have been advising against its use for some time, are SMS messages as the second phase of a multi-factor authentication (2FA or MFA), you know, that message you receive when you try to access your Google account with your username and password, and it asks you to enter the code that will take you to your mobile. The experts, as I said, advise against this means, but even so the SMS is still very present for authentications.
And this leads us to a tweet published a few hours ago by Chris Lacy, in which he shows a screenshot of an SMS received on his phone, and which has given much to talk about.
I just received a two factor authentication SMS from Google that included an ad. Google’s own Messages SMS app flagged it as spam.
What a shameful money grab. pic.twitter.com/NeStIndR6q
– Chris Lacy (@chrismlacy) June 29, 2021
In the image, as you can see, it shows precisely what I mentioned before, a code sent by Google via SMS so Lacy could access an old Gmail account. The first part of the message is what one would expect to receive, but below we can see an advertising message, specifically about a VPN service, which has somehow been included in the SMS with the authentication code.
In the first moment, Lacy has thought that this advertisement was the work of Google, but it has taken a short time to receive several responses from company workers who have denied it., and they have asked him about his operator, as suspicions fall on him. And it is that yes, indeed, the operators could, if they wish, enter elements in the SMS, as well as read them. Remember that short messages come from more naive times, in which security and privacy were aspects that were hardly taken into account.
However, that the system does not offer the security standards that would be required today, does not mean that it is appropriate to abuse it, and even less that it is an operator who, presumably, is taking advantage of this problem. And I say presumably because, yes, cIt is important to clarify that there is no certainty about whether it was really the operator who has done it.
For now, it occurs to me that Lacy has some malware on your smartphone who was responsible for this manipulation, or that it is the service with which Google has contracted to send SMS the real responsible for this unwanted advertising and in a place where it should never appear.
And is that this incident is one more reminder of the insecurity of SMS, as it reminds us that they can be intercepted and manipulated during their transit. At least in principle, this case seems that, inside the bad, it is not the worst, but if other parties have access to the messages in which we receive a security key, a tracking code, etc., maybe it really does now is the time to say goodbye to SMS messages for these purposes as well.