good grief, what a nightmare. i guess it goes to show that there's not much you can do to stop a dedicated hacker.
But I wonder how this SIM swapping problem can be solved? Because nowadays most websites offer 2FA combined with SMS.
On some sites, users must provide GnuPG public keys. Sometimes even login requires signing, and then submitting, a challenge string. Basically, that's how Bitcoin etc transactions are authenticated. So perhaps that could be packaged in a more user-friendly way for site authentication. But then, there's no recourse if you lose the private key. And that's the tradeoff, I guess. As long as you have a safety net for lost credentials, you have a vulnerability for account theft. And of course, if someone steals the private key, you're screwed.
