If attacking my X account requires also attacking my SMS provider account, it doesn't make it impossible to attack my account.

However, telecom hacks are often more involved, and take more effort to pull off. If I'm a high value target, it's not a big hurdle. If I'm a low value target, I might not be worth it.

True, but U2F is still a better choice.

While telcos may eventually fix the broken protocols, it's likely to be decades before that has rolled out widely.

In the meantime attackers are going to automate telecom hacks.. why not?

That said, for simple services sending a single use password by email or SMS is quite easy :) My hairdresser does so for reservations, and it's working out fine.. Nobody cares of that account is hacked anyways.

> In the meantime attackers are going to automate telecom hacks.. why not?

A lot of telecom hacks are social engineering, which often leaves an audit trail, and is hard to automate (if they're using the same text to speech engine that makes spam calls, good luck!)

SMS spoofing is certainly automated today.

Stealing SMS messages, maybe less so.. but from what I hear the protocol is largely trust based, so it's unclear that it couldn't be.

That said, eventually telcoms will be forced to fix this. I'm just guessing it'll take another decade or two.. it's not like robocalls were trivially fixed when they became annoying.

Article addresses that:

> SIM swapping attacks are a legitimate concern, but if that was the only problem with SMS-2FA, my opinion is that would not be enough to dismiss it.