Two-factor authentication codes sent via SMS can be intercepted by anyone who can SIM swap your phone number for $20

Your bank sends a 6-digit code via SMS to verify a login. An attacker calls your carrier (T-Mobile, AT&T, Verizon), pretends to be you, says they lost their phone, and asks to transfer your number to a new SIM. The carrier rep asks your billing address and last 4 of SSN — both available from public data brokers for $5. The transfer goes through. The attacker now receives your SMS codes. They log into your bank, your email, your crypto exchange. Total time: 15 minutes. Total cost: $20. So what? SMS-based 2FA is the default for banking, healthcare, and government services. 80%+ of 2FA-enabled accounts use SMS because it requires no app or hardware token. But SMS was never designed as a security protocol — it is a plain-text communication channel with no encryption, no authentication, and no protection against SIM swapping. In 2023, the FBI reported $48M in SIM swap fraud losses, and that is only reported cases. Crypto holders are particularly targeted — one SIM swap can drain a $500K wallet in minutes. Why does this persist? Banks and services use SMS 2FA because it works on every phone (no app required), users understand it (enter the code you received), and it is free for the service provider. TOTP apps (Google Authenticator, Authy) and hardware keys (YubiKey) are more secure but require user setup and create support burden when users lose their phone/key. Carriers have no financial incentive to prevent SIM swaps — they face no liability for fraud that results from a swapped number. The FCC finalized SIM swap protection rules in November 2023, but enforcement is complaint-driven and carriers are slow to implement.