IT security professionals are sometimes so passionate about the technical details of a vulnerability that they accidentally lose sight of the benefits of the principles of risk management.
Sometimes the passion of discussing the details of a vulnerability overshadow the cost-benefits of risk reduction when passionate people strive for total risk elimination. For example, consider the example of using an SMS-based based implementation for two-factor authentication (2FA) with one-time password (OTP) combined with a transaction verification message (TVM). There are folks who rightfully argue that 2FA/OTP is vulnerable to a knowledgeable threat agent executing a man-in-the-middle (MITM) attack.
One of the more advanced banks I am familiar with uses SMS-based 2FA/OTP combined with SMS TVMs that detail the individual transactions. The mobile phone number cannot be changed on-line and requires a face-to-face meeting with proper identification, so arguments that an attacker simply logs in and changes the mobile number are without merit. There are folks who might argue that SMS-based 2FA is vulnerable to SIM cloning and mobile phone theft. Others passionately argue that a sophisticated MITM attack can compromise 2FA.
Regardless of the passion of the argument, SMS-based 2FA/OTP/TVM has cost effectively reduced risk for many organizations that depend upon on-line transactions in their business model. Is the risk totally eliminated? No! Given enough sophistication, or certain scenarios, most controls can be defeated. The point of this example is to illustrate the importance of cost-effective risk management and risk reduction principles versus focusing on vulnerabilities from a risk elimination perspective.
Is SMS-based 2FA/OTP/TVA a "perfect solution"?
Of course, the answer is "No."
However, properly implemented cost-effective controls, such as the example in this post, can and do cost-effectively reduce risk for many organizations. Therefore, I often advise IT security professionals nog to permit the passion for risk elimination to cloud the cost-benefits of solid risk management principles.


More...