How about the login service send the code encrypted in the SMS such that it can only be decrypted on the phone of the actual user? Still vulnerable to phishing attempts, but better than relying on deficiencies of SMS technology .