Not only easy to understand but for a while it was the only way to do 2fa that was usable by lots of people. Smartphones aren’t as ubiquitous as people think, even today.
SMS’s fall from grace wasn’t actually that it could be intercepted, it was the fact it started being used as an excuse to ask for a phone number and use that to track people.
Google still won’t allow you to use any form of 2fa if you don’t give them a phone number. Twitch/Amazon too. Facebook used to (until they got Whatsapp, now they don’t need to ask.) LinkedIn used to (until they got broken into so many times it became a humongous liability).
Sms is not encrypted, your service provider can read all your texts.
Theoretically anyone at the right point can read all your SMS texts.
A great example being the police “stingray tower” system that masquerades as a cell tower that your phone will happily (and quietly) connect to.
Convince a phone that you’re just another authorized relay, have a target in mind, and it’s like reading postcards before they hit the mailbox.
This is also why it’s an absolute joke for 2FA, but institutions like banks still happily use it because it’s easy to understand.
Not only easy to understand but for a while it was the only way to do 2fa that was usable by lots of people. Smartphones aren’t as ubiquitous as people think, even today.
SMS’s fall from grace wasn’t actually that it could be intercepted, it was the fact it started being used as an excuse to ask for a phone number and use that to track people.
Google still won’t allow you to use any form of 2fa if you don’t give them a phone number. Twitch/Amazon too. Facebook used to (until they got Whatsapp, now they don’t need to ask.) LinkedIn used to (until they got broken into so many times it became a humongous liability).