[bigiain]

You're now outsourcing your users security to their cell phone provider.

Was it Twitter who had their domain hijacked by someone ringing up the right telco and saying something like "my cell pone is out of action temporarily, can you please forward all calls/messages to this other number?" in a sufficiently convincing fashion to some minimum wage telco support staff, then getting a two factor auth token sent to an attacker controlled number?

I think a lot of webdevs make assumptions about SMS "security" that are quite unfounded.

[jonalexr]

Thanks for the feedback! You brought up a valid point. It's something that will become more of an issue as the website increases it's user base and we'll think of ways to address it.

[bigiain]

Here's another article probably of interest:

http://www.itnews.com.au/News/322194,telcos-declare-sms-unsa...

"The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction."