From the article:
> For many years, people in the industry have invariably said something like: "Well... offering SMS-based authentication is better overall for customer security, because of its convenience (despite its shortcomings) vs other methods" (such as the far-more secure use of email for verification). To that I say: "who are YOU to deprive your customers of security?"
and
> Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.
and
> Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber's onboarding) and handle password resets, and companies felt they had to match competitors' adoption of this technique.
This last bit was unfortunately overwritten in a Wordpress post update, and I added it back.
There is a straightforward manner to overtake your phone number (call your carrier and use social engineering). There is nothing you, the customer, can do to lock that down. (I've tried with my carrier.)
With email, you can lock that down with robust 2FA (Google Authenticator/Authy/etc) and crooks have no straightforward way of defeating that.
This is how it plays out year after year and why SIM-swap gangs are so prevalent.
and
> Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.
and
> Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber's onboarding) and handle password resets, and companies felt they had to match competitors' adoption of this technique.
This last bit was unfortunately overwritten in a Wordpress post update, and I added it back.