>Hi Denis,
>
>>>I send SMS with 6 digit code.
>>>In the enterprise it's established that the users will have to apply a change to the code before entering it in in a textbox.
>>>So for example if the code I send is "348825" user knows that the changes necessary are "++--45"
>>>...
>
>Security firms and even Microsoft has started recommending against SMS because there are quite a few demonstrated hacks- e.g. https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber but also SS7 exploits that can be undetectable, supply chain attacks... the list goes on.
>
>It's also a problem that many devices preview incoming sms on the lock screen, so a txted code may be briefly visible even if the phone is locked. Your additional transformation will certainly confound an external hacker, but any current or ex-employee must know the transformation so that ongoing obscurity isn't certain.
>
>Check my 2fA post today: Message #01685145 . It describes a TOTP 2FA that doesn't need cellphone numbers or email addresses, instead a validation code that changes every 30 seconds and never gets transmitted off its device, so can't be intercepted or diverted.
>
>Since you've already got the 6-digit validation code entry for your current system, you could easily make this an option#2 for customers that a) is free, b) doesn't require list maintenance of user cellphone numbers and c) doesn't rely on mobile or internet access for the paired device.

Paypal is using SMS, my bank too. This fuzz about insecure SMS is Google marketing. SMS is only odd because sending SMS becomes more and more a costly problem.