Ten days ago, Vice conducted an investigation where they proved that all they needed to do in order to hijack the SMS of any subscriber was paying a hacker $16. The pseudonymous person acted swiftly, stealthily, and effortlessly, providing the SMS messages of the Vice journalist and not even having to perform any SIM swaps or anything extremely sophisticated like exploiting SS7 network flaws.
He/she just signed up on an otherwise legitimate mass messaging marketing service, and by exploiting a security gap, managed to reroute the said SMS messages.
Now, the same publication is reporting that telcos are eventually plugging that hole. The announcement that confirms the fix came from Aerialink and mentioned the following:
The telcos themselves, or the FCC, which is their governing body, haven’t provided any comments to Motherboard, so this was a somewhat “silent” fix with nobody feeling the need to say anything about it. It is extremely unlikely, though, that the FCC will just let this pass, and we expect the authority to launch an investigation and impose fines on the telcos.
From the side of the software that was abused, the co-founder of the vendor has stated the following:
Having SMS messages rerouted to anyone who can subscribe to a third-party’s platform can obviously have dire consequences for the security of any accounts that happen to use 2FA linked to these numbers. This can potentially open Pandora’s box in terms of people’s privacy. The hacker who has performed the demonstration for Vice proved that taking over several of the target's accounts this way would be fairly easy.
If you need a takeaway from all this, that would be that SMS is not a secure method of 2FA, and you should prefer an authenticator app or a physical key instead. If you have no other option, use a private number that is not linked to your identity, is not known by others, and is not used for any other purpose than 2FA.