This SIM swap crap is so stupid. How is SIM second factor authentication if you can reset your password with just your phone number? Why can't phones be yubikeys, or just allow only software OTP?
In Norway we have a 2FA provider that all banks use. They have implemented a 2FA solution that is installed on the SIM card itself and locked to that card. You also get a separate hardware key device if you want. This way they would need to hijack both your phone and your 2FA pin.
If you lose your SIM card and don’t have the hardware key you need to go to your bank and identify yourself with a valid ID.
Using regular old SMS as 2FA these days seem highly irresponsible for a company. Regular people might not know better.
Snake oil "2FA" manages to hurt both security (the phone network doesn't provide the imagined security properties) as well as usability (hassling customers to paste a numeric code), so that's not it.
This article itself is journalistic malpractice. The crime is fraud, not theft. Optus is not the party responsible for making this right, the banks that improperly debited his accounts are. By failing to explain the actual legal situation and directing focus towards a minor party, this article will cause other victims to fail at pressing the matter with their banks within the time windows for disputing fraudulent transactions.
Or maybe, the point of the article is the banks largely fixed it and returned the money - as the should've. Meanwhile, telcos drag their heels and do nothing to improve the situation (not unique to Australia). Personally, if I were in the same situation, I'd also be livid at the telco. They issued not one but two eSIMs and were useless at diagnosing the issue.
The banks fixing it most certainly was not the point of the article, as the mention of banks correcting his balances consists of two lines. It also implies he was not made whole fully, but does not explain why.
And what really are the telcos supposed to do here? Banks are attempting to use them to provide security properties they never offered, and most likely can't offer due to their group-project technical architecture. Even if telcos completely secure the SIM reissuing process, then criminal gangs just buy someone who has access to a phone switch.
Banks could very well just not implement snake oil "2FA". For example, they could ship each customer a hardware security token, and require password resets be done in person at a branch. Or they can just keep shouldering the current level of fraud as they seem perfectly content to do. The entire problem has been created by the banks, and this narrative attempting to shift blame onto telcos is counterproductive.
