- A developer has reported injected ads in their Google verification text message.
- The Google Messages app subsequently marked it as spam.
- Googlers have denied that the search giant injected the ad into the SMS.
Two-step verification (or two-factor authentication) is one of the best ways to protect your financial and online accounts, but SMS-based verification is definitely more insecure than using an authenticator app. We’ve seen several cases of bad actors using SMS-based verification for malicious purposes, and a mobile carrier may have exposed this solution as insecure once again.
Action Launcher developer Chris Lacy tweeted that his Google verification code SMS features an advertisement for a VPN service (spotted by 9to5Google). It wasn’t a sketchy phishing SMS either, as this was indeed a legitimate 2FA text from Google — Lacy reported that the verification code in question was successfully used.
Compounding matters was the fact that Google Messages marked the SMS as spam, ostensibly due to it detecting the offending text appended to the verification code. Googlers have also chimed in to note that the search giant didn’t inject the ad into the verification SMS, instead suggesting that the unnamed Australian carrier is to blame.
We’ve contacted Google for an official explanation and will update the article if/when the company gets back to us. This would nevertheless be a pretty notable breach of trust on the carrier’s part if confirmed, as the last thing you want is for your 2FA verification text messages to look suspicious.
The practice could also be a major inconvenience if SMS apps send a legitimate verification text to a spam folder as was the case here. This could make life tough for people who aren’t tech-savvy and might not know that they have to check the spam folder.
Have you ever seen ads in verification text messages sent by Google? Let us know via the comments section. Otherwise, there are plenty of great authenticator apps out there that we’d recommend over SMS-based authentication.