If all your customers get sim swapped because you offered 2FA over SMS then it's your fault as a service provider.

Couldn't we shift the fault back a step? If it's so easy to SIM swap people, shouldn't the telecoms be liable for damages to their customers in the event of a SIM swap?

i am not entirely sure i fully agree. telecoms never sold us a service to authenticate us to 3rd parties. those 3rd parties did bolt it on-top of an arguably insecure message transmission system. it wasn't meant to be used like this and maybe its even a bad idea to use it like that. the assumption only you yourself could receive these codes because you are authenticated against your mobile network provider might just be wrong here.

of course, letting the actual sim swapping attack work is an issue they should be required to solve. but for entirely different reasons. once you are authenticated to their network you can cause substantial costs for the real owner of the contract for example and those costs would definitely be compensated to their clients if this happens without their involvement. but if your assumptions break because of this issue your assumptions are wrong in my opinion and you would be the one to blame.

a simple analogy here could be you park your car in front of a police station, because nobody would dare to steal your car right in front of the police right? but then your car still gets stolen and you think you should try to sue the police because that just happened.

on the other hand coinbase did made that assumption and has been proven wrong in this way. they did bet on using the telcos messaging systems being secure enough to be used for authentication. that did not work out and this caused people to lose money which should be compensated for, by coinbase, because they decided to do that and not the telecoms.

I agree - you are right, we absolutely should. But if customers are using Coinbase, and people sue and get successfully judgments against Coinbase for using insecure authentication media, then maybe Coinbase can go ahead and initiate lawsuits against the telecoms if they are feeling the heat.

Consumer complaints against ISPs/telecoms have been notoriously slow, unresolved with no real improvements - even before the creature Ajit Pai crawled out from under his rock, shockingly enough.

"all" customers? Or do you mean 6,000 out of 60m +?

Either works for the example. You should be liable for offering something that is easily exploited that affects your customers.

If that is the net you are casting that is going to be a very wide net.

SMS 2fa isn’t great but there are lots of places that use it.

They should all be liable for damages if anything bad happens as a result of account misappropriation IMO

Coinbase is making all the affected customers whole. What more liability do you want?

A fine that is substantial enough to make them deprecate 2FA for SMS

Why do you care if Coinbase gets robbed?