CertiK says SMS is the 'most vulnerable' form of 2FA in use

cointelegraph.com:

Using SMS as a form of two-factor authentication has always been popular among crypto enthusiasts. After all, many users are already trading their cryptos or managing social pages on their phones, so why not simply use SMS to verify when accessing sensitive financial content?

Unfortunately, con artists have lately caught on to exploiting the wealth buried under this layer of security via SIM-swapping, or the process of rerouting a person's SIM card to a phone that is in possession of a hacker. In many jurisdictions worldwide, telecom employees won't ask for government ID, facial identification, or social security numbers to handle a simple porting request.

Combined with a quick search for publicly available personal information (quite common for Web 3.0 stakeholders) and easy-to-guess recovery questions, impersonators can quickly port an account's SMS 2FA to their phone and begin using it for nefarious means. Earlier this year, many crypto Youtubers fell victim to a SIM-swap attack where hackers posted scam videos on their channel with text directing viewers to send money to the hacker's wallet. In June Solana NFT project Duppies had its official Twitter account breached via a SIM-Swap with hackers tweeting links to a fake stealth mint.

With regards to this matter, Cointelegraph spoke with CertiK's security expert Jesse Leclere. Known as a leader in the blockchain security space, CertiK has helped over 3,600 projects secure $360 billion worth of digital assets and detected over 66,000 vulnerabilities since 2018. Here's what Leclere had to say:

Leclerc explained that dedicated authenticator apps, such as Google Authenticator, Authy, or Duo, offer nearly all the convenience of SMS 2FA while removing the risk of SIM-swapping.