Nick Szabo  🔑

Then take some basic steps to discourage 2FA! AT&T knew it was an issue, so taking some basic measures like at least asking the likes of Twitter and Coinbase to stop doing it would be reasonable. Sounds like they didn't.

If a company as big as Petzl knew their gear was being misused, and people were getting hurt in large numbers, I'd expect them to at least put out some documentation explaining why it was a bad idea. That's a low standard to hold someone too, so reasonable.

Go read some Petzl instructional manuals: pretty much all of them have examples of what *not* to do. That's a product being misused, and a concrete attempt at discouraging that misuse. I don't see AT&T doing that with 2FA.

I suspect AT&T (and others) don't do that because it'd be bad marketing to say "Hey! You're phone #'s aren't secure!" Petzl seems to have gotten over that problem, and is quite happy to warn you how you can kill yourself with their products.

It would go way over the heads of the vast majority of their customers, and even of most security professionals, and even of themselves, to try to describe in any reasonably complete fashion what phone numbers are and are not secure for.

You're making this ridiculously complex. Lots of people are hurt by phones getting hijacking, with lots of well known cases. AT&T is aware of this. It's *very* easy to say "Hey! This is obviously bad, stop doing it" If this were a rarely encountered hazard I'd think otherwise.

How can ATT legally stop someone from porting their number to another carrier? They legally cannot block the port because of a forgotten password and it’s not very hard for somone to physically show up with forged ID.