i am not entirely sure i fully agree. telecoms never sold us a service to authenticate us to 3rd parties. those 3rd parties did bolt it on-top of an arguably insecure message transmission system. it wasn't meant to be used like this and maybe its even a bad idea to use it like that. the assumption only you yourself could receive these codes because you are authenticated against your mobile network provider might just be wrong here.

of course, letting the actual sim swapping attack work is an issue they should be required to solve. but for entirely different reasons. once you are authenticated to their network you can cause substantial costs for the real owner of the contract for example and those costs would definitely be compensated to their clients if this happens without their involvement. but if your assumptions break because of this issue your assumptions are wrong in my opinion and you would be the one to blame.

a simple analogy here could be you park your car in front of a police station, because nobody would dare to steal your car right in front of the police right? but then your car still gets stolen and you think you should try to sue the police because that just happened.

on the other hand coinbase did made that assumption and has been proven wrong in this way. they did bet on using the telcos messaging systems being secure enough to be used for authentication. that did not work out and this caused people to lose money which should be compensated for, by coinbase, because they decided to do that and not the telecoms.

I agree - you are right, we absolutely should. But if customers are using Coinbase, and people sue and get successfully judgments against Coinbase for using insecure authentication media, then maybe Coinbase can go ahead and initiate lawsuits against the telecoms if they are feeling the heat.

Consumer complaints against ISPs/telecoms have been notoriously slow, unresolved with no real improvements - even before the creature Ajit Pai crawled out from under his rock, shockingly enough.