[martin_a]

But this comes down to bad security practices at the telco, doesn't it?

I don't know about other countries, but you can't even buy/activate SIM cards in Germany without "proper" identification through VideoIdent or another system where your passport is checked against. At least that's what I remember.

I'm not sure any type of "I've lost my SIM, please use this one" would work on German carriers without proper ID.

Moving numbers als requires some kind of paperwork, it's not that easy after all.

So... Is this a telco problem or a SMS problem?

[hackerman123469]

Sort of yeah, it wouldn't be possible with my carrier for example as they would just tell you "login online and swap it" because things like switching sim etc. is just something you do there and not something you call them about. And to login to the website you must use the national 2factor authentication.

So essentially they would have to breach the national 2factor authentication system first here.

And there is absolutely no way that you could "social engineer" the guy on the other end of the phone who works for the telecompany as there is no way you shouldn't be able to use their online tools.