[aiisahik]

Using SMS makes PERFECT SENSE for the online service provider.

The following are very similar but separate goals:

1. proof of account ownership (person attempting action has ownership of account)

2. limiting accounts created by non-legitimate users

SMS is a very effective for (2) because few people are going to have access to 100 different phone numbers. Having a cell phone number also typically involves a personal process that requires things like your address, passport, SSN, etc. There are hoops to jump through for this. Companies rely on SMS because they can outsource the KYC process to cell phone companies. They are not doing this to have the most optimal or secure solution for proof of account ownership.

People who continue to complain about this clearly has never had to make this type of auth decision for a company involved in regulated or financial services.

[aikinai]

Your point is completely orthogonal to account takeover. You can require a phone number to create an account and not allow SMS to the number to takeover the account.

[AnonC]

What happens when the owner of the number discontinues the phone service, loses the number and the same number is give to another customer who then tries to register for an account on the same platform? Phone providers may recycle numbers in as short a period as a few months.

[rrr_oh_man]

> Phone providers may recycle numbers in as short a period as a few months.

Then, I guess, the account on that German home automation online forum was maybe not that important, after all.

[pnt12]

Such a strawman. People get locked out of accounts with important stuff for them all the time.

Let's demand more of tech companies who have the means to do proper security , instead of bling user mistakes.

[rrr_oh_man]

No, I’m not blaming the user. Look at this from the other perspective:

I have an apartment, a vacation home, a chicken coop, a shed with old tools, a car, a bank deposit box.

Do all of those things absolutely require a Post-Blockchain-Ready™ SuperDuperLock 3000© with the patented Forensic Upgrade Crypto Key™ technology?

Not really. Some security vs. accessibility/usability trade-offs need to be made.

Somebody stealing the contents of my bank deposit box? Okay, that would suck.

Somebody breaking into the shed and stealing that old broken Toyota diff lock actuator I *swear* I'm going to fix at some point and maybe a shovel? Please.

This is why I think there might be a security floor for critical applications, but it should be the user's choice if they really want full 2FA+ with smartphones, biometry, and social security number verification for their random account on once-a-month-visited social network for cats.

[hedora]

Why does the service provider care about account takeover, from a financial perspective?

They can always reset the password on their end, given proof of identity (if the account matters).

[romwell]

>Why does the service provider care about account takeover, from a financial perspective?

Indeed, caring in any way about users of your product or service is merely a liability and a cost center.

[rrr_oh_man]

I honestly don't want that type of overprotective caring that cares so. much. about you that it restricts you in meaningful ways.

[lxgr]

Just because I understand precisely why companies do it doesn't mean I need to be happy with it, does it?

By the same logic, you could justify companies tracking their users and selling their personal information: It makes money, and making money is an important part of running a business!

[Terr_]

Or: "Robocalls with fraudulent caller-IDs make perfect sense for the companies doing them..."

[gruez]

>(2) because few people are going to have access to 100 different phone numbers

There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.

[rrr_oh_man]

> There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.

But that's the point: If you're really determined, nothing's gonna stop you.

How much on the freedom vs. restriction scale do you want to get pushed to the right for "security" before it's too much? Or is it okay, because it's not inconvenient to you?