[krastanov]

But text messages and phone numbers are not a secure medium. I am on the fence whether SMS based OTP is actually a net positive for security. Probably helps with senior people not accustomed to using passwords, but it definitely lowers my security (I have a hardware token and generally try to disable SMS OTP)

[crossroadsguy]

Not sure where you are from but getting a SIM (mobile connection) or even getting your own SIM/number re-issued is not as simple as that is in many (western) countries.

Transfers/switches/porting always have a decent cool-off period. So while I am not saying it's as safe as it gets, I was just wondering whether you were assuming it's the same way in many other countries.

PS. Credit cards just can't work just based on credit card number, CVV, and expiry MMYYYY here either. You have got to have that SMS OTP auth and in many cases a password as well. Also, at POS (shops, restos etc) you must enter your PIN, it's not optional. (Now up to ₹2000 some cards let you just swipe/tap w/o a PIN, but it's an opt-in feature)

[krastanov]

Noted!

One issue still left: SMS are "relatively" easy to eavesdrop.

I am in the US. SIM reissuing scams are not uncommon and my own number was reassigned for half a week due to a technical glitch. During that time I had multiple conversations with customer support staff and it was ridiculous how many changes I could request without any verification or authentication.

[vijaybritto]

The aim is to reduce the possibilities of getting robbed. Targeted attacks like sniffing SMSs of a user requires significantly more effort than just stealing their card.