[13]

Doesn't even have to be that complicated, the malware can just rewrite the destination to the malware author's silently and wait for people to be sending money there anyway. It's a reasonably dangerous property of Google-style 2FA that they can be transposed without any warning. My bank attempts to get around this by only using SMS based tokens, and the first line of the SMS says exactly what is being sent and where.

[aianus]

On the other hand, it's much easier to reroute a cell phone number through social engineering than to steal TOTP secrets.

[13]

Is it really possible from an evil standpoint to get SMS rerouted to another number? I was looking into that a while ago (I wanted a prettier number, but didn't want to lose things associated with the old one) and the answer I got was that it's not something anybody can do. I get how the phone call rerouting stuff would go down, but not SMS rerouting.

[seanp2k2]

GrandCentral / Google Voice used to be able to do this, along with tons of other awesome stuff for VoIP nerds. You could bring whatever DIDs you had (IIRC they also sold them for a reasonable fee) and set up routing however you wanted, and you could trunk to your own SIP server if you wanted to e.g. Set up a phone menu to drive your home automation.

Not sure if any of that still works with GVoice, but if not, I'd look into doing it with Twilio possibly.