[walrus01]

the thing about 'adding a phone number' is that hijacking somebody's DID is fairly trivial these days for a good social engineer, you get the customer service department at somebody's cellular carrier to port out the number, or activate it on a new SIM card put into a burner.

the SS7/PSTN is horribly broken.

SMS based "2FA" is not actual 2FA

[0daystock]

I think "trivial" is generous. For context, the current market rates for a SIM swap ranges from several thousand USD (T-Mobile) to well over fifty thousand USD (Verizon). It is not really something most people should lose sleep over, in my opinion.

[walrus01]

I classify it as trivial compared to the effort in breaking some real 2FA or otherwise hijacking the start of authority for somebody's online identity/ability to reset their passwords and gain access to an account, like getting possession of a personal domain name to change the authoritative nameservers, set a new MX and receive incoming password-reset emails.

Working in the telecom industry I've seen the pressures that first tier phone service reps are under and how they can be socially engineered, if someone is in possession of enough pieces of a person's identity already, to issue a new SIM or port out a number.

[MerelyMortal]

That seems absurdly high for a SIM Swap. Source?

[0daystock]

Source: Darknet Diaries, EP 112: Dirty Coms