Would there be any security downside to text-message "verification codes" saying what they’re for?
When I log into some web services, I need to send back a verification code contained in a text message that starts out with something to the effect of "You or someone claiming to be you is trying to do X on service Y. If you are trying to do X on service Y, the verification code is Z. If you realize you may have fraudulently given this code to any person or web site, visit security.Y.com immediately."
With a different popular on-line service (which I'll call "Acme"), however, the text message is simply "Your Acme verification code is A-123456", but some phones will augment that with a phone-generated message saying "This is an authentic Acme security alert".
Is there any security downside to using text messages that are more like the former than the latter? The latter approach is rife for a variety of social engineering attacks where someone dealing with a scammer or phony web site is told to expect a security code from them, but the scammer is actually seeking to gain access to the person's Acme account. If there would be no security downside to the former approach, why would any large companies not use it?
