How is it possible that some kind of imaginative script can be enough to get SMS sim swapped?
Why aren't the operators requiring a strong identification via a passport or something like that? Maybe I'm really dumb but that just boggles my mind, whether or not there exist other types of alternatives to 2FA.
There's not much you can confirm over the phone, except the account PIN and sometimes security hint. But an attacker can pretend to have forgotten it and press that the matter is urgent. If the attacker knows enough about the person, they might be able to convince an agent to make the swap so the agent can:
1) Get on with their day to maybe hit a support request quota
2) Make sure this person doesn't give them a bad customer satisfaction score
They could require this. Most of the big operators have physical stores where they could do an ID check. There should be an advanced protection mode where SIM swaps and other sensitive operations require physical authentication.
