See, this stuff isn't black and white: I'd rather see these decisions made based on what a company could have easily done. AT&T getting their customer service techs some basic anti-social-engineering training, *or* discouraging 2FA, is easy and would prevent a lot of harm.
-
It would go way over the heads of the vast majority of their customers, and even of most security professionals, and even of themselves, to try to describe in any reasonably complete fashion what phone numbers are and are not secure for.
And if it wasn't complete, which it couldn't be, the outraged tweeters and lawyers would discover what turned out to be a gap or error and use it as yet another supposed reason to, guess what, sue them.
![Bruno [Crypto Beret TM] Larvol](https://pbs.twimg.com/profile_images/1053671578238562310/6Dcewfo2_normal.jpg)
-
-
I think the standard of reasonable care doesn't mean they need such warnings to be complete at all, far from it: it's perfectly reasonable to focus only on common hazards. 2FA hacking is very common.
-
Not a fan of AT&T, however, they are not a bank and therefore cannot expected to provide fin-tech level security on accounts. Delegation of security to a less secure system or company is failure by design.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.