I used to work for a big public organisation, we had numerous SMS providers over the years. Most of them used HTTP (notice the lacking S) as the protocol and accepted simple POST actions with a key in the header (for everyone listening to read). When I left the service we used the most had moved to HTTPS by our request, but functioned the same way and was essentially bruteforceable because our password was 4 characters long and there was no limit on the service. I left in 2021.
I don’t think security is necessarily the most important thing to these companies.
I don’t think security is necessarily the most important thing to these companies.