> 1) Ban SMS as a second factor for high risk targets like banks.
As others have pointed out, if it were just a second factor they would also need your password. SMS is being used for full account recovery, so as a single factor.
> 2) Telecom companies should require social security number
This is exactly what we should not be doing. I would like it to be harder to steal my identity than getting a 9-digit number, which can never be rotated, and which I am required to provide in plaintext to many different people in many different situations (renting an apartment, opening a credit card, etc.).
To make matters even worse, up to the first 5 digits of an SSN can be easily guessed if you know the person's age and birthplace, and the last 4 digits are used even more haphazardly than the entire number is (e.g. sometimes the last 4 are displayed in plaintext on a website while the first 5 are starred out).
As others have pointed out, if it were just a second factor they would also need your password. SMS is being used for full account recovery, so as a single factor.
> 2) Telecom companies should require social security number
This is exactly what we should not be doing. I would like it to be harder to steal my identity than getting a 9-digit number, which can never be rotated, and which I am required to provide in plaintext to many different people in many different situations (renting an apartment, opening a credit card, etc.).
To make matters even worse, up to the first 5 digits of an SSN can be easily guessed if you know the person's age and birthplace, and the last 4 digits are used even more haphazardly than the entire number is (e.g. sometimes the last 4 are displayed in plaintext on a website while the first 5 are starred out).