[kevin_b_er]

Because the telephone companies are terrible about security and often highly disorganized internally. They are beyond stupidly susceptible to Social Engineering and any "passcodes" against giving away access do not stand in the face of stupid customers and the need for customer service to satisfy them.

Your number can easily be stolen or redirected to get and sometimes send SMS from/to your number. Your cell phone account is the linchpin for a very extensive identity theft attack.

[slg]

In their defense, being able to successfully identify a customer is who they say they are is a difficult problem that is only compounded when you might only speak to a customer as infrequently as every few years. 2F devices and codes can be lost. Passwords and pins can be forgotten. Answers to security questions can change. Have you ever tried to access your own account with a company like this without this data? There are few things more frustrating than being locked out of your account because you can't recall what you said your favorite movie was in 2012. Throw in the low odds of actually being targeted in a social engineering attack and companies optimize for customer satisfaction and convenience over security.

Blaming companies for responding to that incentives isn't going to accomplish anything. The way to fix things is to change the incentives by either increasing the punishment for falling for social engineering or create a system that makes it easier to remotely identify people.