Design flaws related to SS7 has been known to us for quite a while now but telcos have conveniently discarded the arguments saying that the risk is too low due to the significant investments required for performing the attack. But considering the recent news that hackers have performed a real world SS7 attack to bypass 2FA and siphon off funds, it is pretty clear that the return of investment in these attacks will cover for the costs.
Should we, as application developers and pen testers consider SMS based 2FA as a weakness?