[snurk]

> ...thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device.

Are these theoretical attacks? Has this ever actually happened?

The article only correlates the end of phishing with introduction of the physical keys. I'm wondering if it's really necessary - if typical 2FA via one-time pw to SMS is easily sufficient.

[apawloski]

>> ...thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device.

> Has this ever actually happened?

Yes. For example: https://krebsonsecurity.com/2018/05/t-mobile-employee-made-u...

[ams6110]

It's possible if you're targeted for some reason. IMO it's very unlikely if you're Joe Random logging in to your bank's website, and better than not having any 2nd factor at all.

[vxNsr]

Yes I can't find the articles now but there are reports of phishers using this technique to get around 2FA over SMS.

[SpaethCo]

They got around 2FA over SMS because a number of services like GMail offered password reset via SMS as well as 2FA over SMS.

It was the password reset process that was the most vulnerable, and strangely the part that kept getting glossed over when people reported on the takeover incidents.