Indeed. I once worked on a system where we had SMS as one of the "last resorts". When someone used SMS as recovery, we'd disable withdrawals and fundings (it was some sort of wallet) as well as severely limit their daily limits. Until the account was fully restored again using normal, secure methods (Mail, KYC, etc).
We were hit by a similar "attack" where our "let us call you to start recovery" was abused by putting a toll-number there, and our system would then call this toll-number and we'd get rediculous bills. But putting in limitations helped a lot, so we did this for SMS too.
Indeed. I once worked on a system where we had SMS as one of the "last resorts". When someone used SMS as recovery, we'd disable withdrawals and fundings (it was some sort of wallet) as well as severely limit their daily limits. Until the account was fully restored again using normal, secure methods (Mail, KYC, etc).
We were hit by a similar "attack" where our "let us call you to start recovery" was abused by putting a toll-number there, and our system would then call this toll-number and we'd get rediculous bills. But putting in limitations helped a lot, so we did this for SMS too.