Yes. 2FA over SMS is extremely insecure. It’s just many companies can’t be bothered to do something else.

As mentioned in another comment, SMS isn’t as secure as a dedicated authenticator app. But it has a couple of advantages.
– Not everyone has a smart phone and so can’t install a dedicated app.
– Authenticator apps can be a pain when you move to a new device. Some will transfer over, others may not. SMS doesn’t have this problem.
– Almost everyone knows how SMS works, authenticator apps are a bit more complex. Less technically minded people may have trouble installing, setting up, and transferring codes.
– Even with SMS being less secure, it’s still more secure than nothing at all. Every extra layer or step the attacker has to go through decreases your chance of getting compromised. It’s just not the best step to take.

While “insecure” alone, when combined with username and password, its 10,000x more secure than just username and password.

If you steal a password, you still need to compromise a whole additional technology.

Not what you are asking but what makes you think email is encrypted and hence would be a better choice? (Ok, it can be encrypted between mail servers but it’s far from guaranteed)

You could, the SS7 network is an very insecure one. Once you are added as a trusted node you could spoof an active phone to get the SMS message.
Thing is, it doesn’t give you the username or password. Some recent hacks also involved attackers who just spammed admin their MFA (app) until they accepted.
In a certain way SMS is safer because this attack is not possible via SMS.

There’s a couple things here.

First, SMS isn’t end-to-end encrypted, but it is encrypted over-the-air. An attacker with radio can’t just intercept your SMS messages. It can be intercepted by your carrier, someone who’s hacked the carrier, or someone using a stingray (eg: the police) who’s convinced your phone to connect.

Second, “2FA” literally means “second factor authentication” — there’s already been another factor used to initiate this action, which is usually a username+password.

This means to successfully attack a user’s account on a service using 2FA:

1. The attacker needs to know the username and password
2. The attacker has to have inside access to the carrier’s network equipment OR the attacker has to have a stingray and be nearby to have your phone connect to it

This significantly reduces the chance of a successful attack.

The real problem with SMS 2FA:

* SIM swaps are too easy — this is where someone basically steals your phone number by pretending to be you and getting the number transferred to their own device. Sometimes this is social engineering, sometimes it’s via an insider working for the phone company, sometimes it’s hacking the carrier.
* Too many places don’t actually use this as a “second” factor, especially for password resets. The most common exploit is an attacker starts a password reset request, verifies the SMS (usually via SIM swap but could also be another hack), and then sets the password to whatever they want, and now own the account. In the case of an account take-over, they’ll change the SMS and/or email address to ones they control and you’re totally locked out.

To add to other people’s comments, if someone already has your SMS spoofed, there’s little already that your 2FA can protect you from as they can go from there to get access to a lot of things.

SMS are mostly secure enough and there are significant convenience and simplicity advantages. The 2FA is after all the second factor, a hypothetical attacker would still have to know your password and be physically near you with a mobile sniffer when you get the sms. Realistically, it’s not much of a security concern.

But of course, there are better methods that don’t have this vulnerability and they do get used. Authenticator apps are pretty good, physical security tokens are even better, physical security tokens with biometric locks are the best you can reasonably get. Does remote access really need to be allowed? Requirement of onsite presence in a secured area and proof of identity is more secure. How much security do you need? At the end of the day, you are still vulnerable to [pipe wrench cryptoanalysis](https://xkcd.com/538/)

Security is all about combination of value of your stuff, who is trying to get you and convenience. For most people SMS is optimum. But if you are trying to hide something very valuable that a government like china or Russia is interested. SMS is a joke!

It happens and SMS is considered the weakest form of 2FA, but it’s still better than no 2FA.