SMS Two-Factor Is a $26 Million Lie

The numbers tell the story

In 2024, the FBI's Internet Crime Complaint Center (IC3) received 982 complaints related to SIM swapping with reported losses totaling $25.98 million. That figure dramatically understates the real total; most victims never file a complaint. The UK's Action Fraud reported a 1,055% surge in SIM swap attacks between 2023 and 2025, driven by the explosion of cryptocurrency holdings and the continued reliance on SMS-based two-factor authentication.

SIM swapping works because phone carriers authenticate account changes with information that is trivially available: name, date of birth, last four digits of SSN, and billing address. An attacker who has purchased this data from a breach or data broker calls the carrier, impersonates the victim, and requests a SIM transfer to a new device. Once the attacker's SIM receives the victim's phone number, every SMS verification code goes to the attacker.

Carrier insiders make it easy

The more efficient path skips social engineering entirely. Carrier employees are bribed to process unauthorized SIM swaps. The going rate documented in federal indictments is approximately $300 per swap. A T-Mobile store employee in New Jersey processed over 100 fraudulent swaps before being caught in 2023. The operation netted the employee $30,000 and the fraud ring millions.

T-Mobile has been the most frequently targeted carrier. In 2023, a T-Mobile customer won a $33 million arbitration award after a SIM swap attack drained his cryptocurrency holdings. The arbitrator found that T-Mobile's security controls were grossly inadequate and that the company had been warned repeatedly about SIM swap vulnerabilities.

MFA fatigue: LAPSUS$ showed the way

SIM swapping is not the only way to defeat two-factor authentication. The LAPSUS$ group demonstrated MFA fatigue attacks in 2022 when they compromised Uber. The attacker obtained an Uber contractor's credentials from a dark web marketplace, then initiated login attempts that triggered push notifications to the contractor's phone. After receiving over 40 push notifications in rapid succession, the contractor approved one. possibly by accident, possibly out of frustration.

Once inside, LAPSUS$ accessed Uber's internal Slack, engineering dashboards, and source code repositories. The group was composed primarily of teenagers from the UK and Brazil.

The Coinbase case

In August 2024, a Coinbase customer lost $96,000 in a SIM swap attack. The attacker ported the victim's phone number, intercepted the SMS verification code, and transferred cryptocurrency out of the account within minutes. Coinbase's response was to point to their terms of service, which disclaim liability for losses resulting from compromised phone numbers.

This case illustrates the fundamental problem: financial institutions offer SMS 2FA as a security feature, but accept no responsibility when that feature is defeated by an attack vector that has been well documented for years.

Passkeys are the actual solution

The industry has known that SMS-based 2FA is insecure since at least 2016, when NIST deprecated SMS as an authentication factor (then partially walked it back under industry pressure). The replacement technology, FIDO2/WebAuthn passkeys, has finally reached critical mass.

As of early 2026:

• Over 1 billion passkeys have been activated across Apple, Google, and Microsoft ecosystems
• 48% of the top 100 websites now support passkey authentication
• Apple, Google, and Microsoft have all made passkeys a first-class authentication option in their operating systems

Passkeys operate on completely different principles than SMS codes:

| Feature | SMS 2FA | FIDO2/WebAuthn Passkey |

|---|---|---|

| Phishable | Yes, codes can be intercepted or socially engineered | No, cryptographically bound to the specific domain |

| SIM swap vulnerable | Yes | No, key material never leaves the device |

| Replayable | Yes, intercepted codes work until they expire | No, challenge-response is unique per session |

| Requires carrier trust | Yes | No |

| Works offline | No | Yes (for local authentication) |

A passkey is a cryptographic key pair where the private key lives in the device's secure hardware (Secure Enclave on Apple, Titan chip on Google, TPM on Windows). Authentication is a challenge-response: the server sends a random challenge, the device signs it with the private key, and the server verifies the signature with the public key. There is nothing to intercept, nothing to phish, and nothing that a SIM swap can compromise.

Why SMS 2FA persists

Despite the known vulnerabilities, SMS 2FA remains the default on most platforms for three reasons:

1. Universality: every phone can receive SMS. Not every phone has a secure enclave or biometric sensor.
2. User familiarity: people understand text messages. Passkey enrollment involves concepts (public key cryptography, device attestation) that are invisible to users but unfamiliar to support teams.
3. Liability avoidance: offering SMS 2FA is better than offering nothing. It shifts blame to the user if their account is compromised.

Practical recommendations

• Enable passkeys on every account that supports them. Prioritize email, financial accounts, and cryptocurrency exchanges.
• Use a hardware security key (YubiKey 5 series) as a backup to passkeys. Hardware keys support FIDO2 and cannot be SIM swapped, phished, or cloned.
• Add a carrier PIN to your mobile account. All major carriers offer a secondary PIN that must be provided before account changes. This is not foolproof against insider threats but stops basic social engineering.
• Remove your phone number from accounts where possible. Many services allow you to use only an authenticator app or passkey without a phone number fallback.
• Monitor your phone signal. If your phone suddenly shows "No Service" or "SOS Only" when it should have coverage, call your carrier immediately from another phone. This is the first sign of an active SIM swap.
• Never use SMS 2FA as your only second factor. If a service only offers SMS, treat it as having single-factor authentication and adjust your risk tolerance accordingly.