Comment by judge2020
5 years ago
> You can't even trust phone companies to do their job right and ensure the secure verification code is sent to the right phone! You provided some more secure ways for users to authenticate themselves,
For those that don't know, phone companies are easily susceptible to sim-swapping attacks which can make it easy for an attacker to intercept SMS 2fa: https://news.ycombinator.com/item?id=22016212
Edit: looks like OP changed their entire comment while I was replying.
You can totally trust phone companies to "do their job right". You need to understand what their job is though.
The Telcos never signed up to being a "secure verification code provider". Almost a decade ago, the local Telco industry group told us all:
"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication,"
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...
Any company that uses SMS for 2FA is offloading risk and security to an industry that never expected it, and explicitly seeks to not provide it.
A Telco _desperately_ wants to be able to get you back up and running (making calls and spending money) on a new phone using your existing number before you walk out of the shop. And even more, they want to be able to transfer you across as a customer from a competitor - and have your existing number work on their network.
"Sim Swapping" is a valuable feature for Telcos. They have significant negative incentives to make it difficult. They don't want to secure your PayPal account, and nobody (least of all PayPal) should expect them to do a good job of it, certainly not for free...
Yeah sorry, I thought the original version was overly flowery, and the same point could be made more succintly.