Google investigates why a carrier linked VPN ads to an SMS Two-Factor code.

One carrier decided to inject a Google 2FA text with an advertisement for a VPN. It's pushy, obnoxious, and can't become the norm for other carriers.



SMS text messages are often used by apps/websites to send two-factor authentication codes, and unfortunately, it looks like one carrier is hijacking Google 2FA texts to force advertisements on people.


The issue appears to be limited to one carrier in Australia, but regardless, it's not something that should have happened in the first place.



Earlier this week, Australian developer Chris Lacy tweeted about a curious experience while logging into a rarely used Google account. When Google texted his two-factor authentication code, the message popped up along with an ad including a link for VPN services.


Considering the downsides of phishing or malware distribution attached to a code that’s specifically intended to keep your account secure, this didn’t go over well.


Google’s official statement on the matter is that “These are not our ads and we are currently working with the wireless carrier to understand why this happened.” The Messages app on Android didn’t display a preview, flagging it as possible spam, but it’s a less than ideal implementation of two-factor authentication.

Two-factor authentication (often referred to as 2FA) is one of the best features someone can use for any online account. When logging into a 2FA-backed account, users are sent a random code that has to be entered before they gain access — even if they have the correct password. This code is only retrievable via a text message or dedicated 2FA app, so unless someone has the phone with that text or app, the account is inaccessible.


On June 29, developer Chris Lacy shared a screenshot of a 2FA code he received from Google.

It should go without saying, but injecting ads into 2FA codes isn't something that any carrier should be doing. 2FA codes exist to get people into their accounts and nothing more — it's not an open invitation for another company to advertise to someone.


The possibility is technically there because SMS text messages are unencrypted and can be read by carriers, but that doesn't make it right.


It's entirely possible this ad was a fluke and wasn't intended to be in the 2FA text, but if it wasn't, there's no telling how far these advertisements could go. If a carrier sees someone is getting a 2FA code from their insurance login, they could use that to target someone with an ad from another provider.


“THESE ARE NOT OUR ADS AND WE ARE CURRENTLY WORKING WITH THE WIRELESS CARRIER TO UNDERSTAND WHY THIS HAPPENED.”

Furthermore, if 2FA texts with ads get marked as spam by Google Messages, that's bound to result in people not seeing their codes and having trouble getting into their accounts. In every situation, it's a bad move that cannot become the norm for carriers in Australia, the U.S., or any other country.


Thankfully, there's currently no evidence that this has become an industry standard. Google is clearly against the text Lacy received, no other examples have been shared, and Google will likely do everything it can to make sure this particular carrier doesn't do this again.


Let's hope that's what actually happens, because a world in which ads are the norm in 2FA text messages is not one to be excited about.