> Walk into a store and provide a government ID and the original SIM card.
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.
The problem is that the ID is still checked by the clerk. They could be bribed or tricked by a fake ID.
A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).
The clerk has to use some kind of online system to connect the new sim to the customers phone number. The system would obviously require the clerk to authenticate himself and could require him to enter the passport number or other document ID he checked to verify the customers identity.
If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.
Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it
I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.
Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.
On your second point, a determined criminal could always deploy rubber-hose cryptanalysis on a 2-factor authentication scheme, but it's still a significant improvement.
If you make the carrier liable for damages in case of fraud, there would be process to mitigate the risk from one bad actor. Like the bank requires a manager approval for certain high risk transactions like international wires.
Too long of a moon shot. Generally the T&C are limited to actual loss, like you lost your internet for 2 days so they'll reimburse you for 2 days of bill but not if you lost a business deal. Similarly in case of airline if you missed your game. they're not responsible for the game tickets
This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.
But this has some downsides in real life.
1) I had to walk my 88 yo Mom to the store to swap SIM card.
2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.
3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.