I'm a strong believer in solving problems at the single point of failure. If you solve it at the Twitter level, what about any other internet/cloud based service that is designed just like Twitter? It would still be a problem. If you solve it at the phone company level, all the companies that operate like Twitter are protected.

Even better still, solve it at both levels, but definitely don't let phone companies off the hook.

Yeah, I think it should be solved in both places TBH. Defense in depth.

But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.

Being serious, I don't think waiting 72 hours for a SIM number port is an inconvenience.

IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!

So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.

Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.