Sounds expensive. I already pay ~$1/month in SMS fees for TFA on my Google account. If it cost me $0.20 every time I fatfingered my password, I would probably stop using your service. What's worse, attack #3 would cost the victim even more money, and it's one thing to get charged for your own screwups. It's another thing altogether to get charged for somebody else trying to hack you.