Reddit could require users associate a mobile number with their account and use an SMS to validate. Zelle (the payment network) performs fraud validation using your mobile number as a signal, for example (using a Google Voice, Twilio, or similar virtual number will cause onboarding to fail).
There are also now services that do this for you so you don't even have to buy the SIM card yourself. They add some new phone numbers every day and publish the numbers along with every SMS they receive on a public site with ads on it. The "higher end" ones give you your own personal throwaway phone number but then you have to pay the $5.
This means sites should immediately stop using this verification method because it obviously isn't going to stop adversaries with even trivial resources, and the security implications of encouraging vulnerable populations to use random sites like that is hugely bad.
SMS verification is also ridiculous to begin with because phone numbers get recycled quickly and users should neither lose their account just because their phone number changed nor have some stranger enabled to steal it.
This is a poor argument against a mechanism which clearly has both a cost and time component against an attacker. Of course you're not going to subvert attackers with enormous resources, but you will slow down most of them and it is cheap to implement (both upfront and for ongoing SMS costs).
It costs zero dollars and takes the same amount of time as the SMS verification would on a regular phone. If the sign-up site is continuously vigilant enough to find and prohibit every number on every one of these sites (not so cheap to implement) then there are sites that give you immediate access to a non-published number for $5. Even this is not "enormous resources" by any means.
But the even bigger implementation cost is that there are many people who don't have a personal cell phone number to receive SMS, and you're either disenfranchising them or pushing them to use sites like that which obviously allow anybody to see the verification codes sent to the phone number which is now associated with their account.
> A significant amount of online properties use SMS for 2FA and authentication
Using SMS for optional 2FA is a mediocre security practice but is mostly harmless (because people can opt out; though it still makes it possible to lose your account if you use it, your number changes and then the site requires you to authenticate with it).
Using it for mandatory 2FA has the problems discussed.
But I also want to point out that actual major sites exist that use SMS as the sole and mandatory authentication factor, and they are very powerfully incompetent.
