Nick Szabo  🔑

I suspect AT&T (and others) don't do that because it'd be bad marketing to say "Hey! You're phone #'s aren't secure!" Petzl seems to have gotten over that problem, and is quite happy to warn you how you can kill yourself with their products.

It would go way over the heads of the vast majority of their customers, and even of most security professionals, and even of themselves, to try to describe in any reasonably complete fashion what phone numbers are and are not secure for.

You're making this ridiculously complex. Lots of people are hurt by phones getting hijacking, with lots of well known cases. AT&T is aware of this. It's *very* easy to say "Hey! This is obviously bad, stop doing it" If this were a rarely encountered hazard I'd think otherwise.

How can ATT legally stop someone from porting their number to another carrier? They legally cannot block the port because of a forgotten password and it’s not very hard for somone to physically show up with forged ID.

Even if carriers could make it *more* secure I still cannot see security professionals recommending relying on carrier level security for banking level requirements.

Then take some basic measures to discourage 2FA like customer education and talking to major 2FA users! It's ok if they don't want to provide this service, but given the level of harm they have to put some effort into discouraging that.

They may've found phone numbers useful & benign (though it is very much not their expertise or business) in the reversible banking txs they are familiar with, but haven't studied consequences of use w/irreversible crypto. Ridiculous to expect them rather than Coinbase to do that.

They don't have to study this issue. They simply have to observe the obvious fact that lots of people are getting hurt in this way. That requires no special knowledge. And after all, this is an issue that extends to more than just cryptocurrency: e.g. stolen gmail accounts.