tl;dr: You ought to be using 2-factor, and you ought to be using the one-time password generator built into 1password instead of using SMS.

The "SIM porting" attack has been becoming more common and getting more press recently. Basically, it's easy for a crook to call up your phone company and get them to move your phone number to their phone. The telco is supposed to verify that it's you requesting this, but they are stupid and easily fooled.

Once the attacker is receiving your text messages, most services, even those that use 2-factor auth, will allow them to do a password reset and take over your account. My understanding is that they generally needn't have also compromised your email account first.

The fix to this is to not use SMS for your 2-factor. A better way is to use a one-time password generator. There are physical-dongle versions of these, and software versions. The way they work is, set-up involves them sharing a secret by scanning a QR code; and then the login codes are generated based on that secret, without the two ever needing to communicate again. Basically it's a clock-based PRNG with a shared seed.

Many people recommend Google Authenticator and I gave that a try, despite a deep paranoia about any software that has "Google" in its name -- which is not helped out by the fact that Authenticator was once open source, but then Google took it proprietary, which is not at all a shady and concerning move, no sir.

The problem with using that app is that if you want to use more than one device to generate your one-time codes -- say you sometimes have your phone with you and sometimes have your tablet with you but not both -- then you'd have to set them both up at the same time. You can't add a device later without losing access from all previous devices.

But it turns out that the excellent 1password includes a compatible one-time password generator that does the same thing! Instructions here. The huge benefit of this over Google Authenticator is that you can access the code generator from any device to which you are syncing your 1password vault, including your desktop.

This works with Facebook, Dropbox, Twitter, Kickstarter and Etsy.

Instagram (owned by Facebook) say they're really thinking about supporting non-SMS 2FA, really thinking about it really hard. But they still provide 2FA only via SMS.

Patreon and Ebay also only support 2FA over SMS. (Oddly, it looks like Patreon used to support OTP but stopped??)

And Twitter, of course, goes out of their way to fuck up this security feature, as is their core incompetency.

You can't enable 2FA at all without giving them a mobile number. You have to enable 2FA with SMS, and then you can switch to OTP.

you can switch to OTP. After you've configured the OTP, you also have to go into the SMS setting and say "no really, don't use SMS for 2FA". Because if you don't do that, the login page will still have an option that says "Choose a different verification method" that allows your friendly neighborhood hacker the option to use your phone number anyway.

Just remove your phone number? Oh ho ho ho, no. Doing so turns off 2FA entirely.

Kickstarter seems to have the same bug: you can turn on OTP but you can't ever turn off SMS.

Amazon is even weirder: they let you register an OTP app, but I can't find a way to make them actually use it. They always use SMS.

In short, everything is terrible and it's a wonder that you can still log into any of your accounts at all.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.