Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?

There is no real concept of an "average user with no special access rights". From the perspective of an attacker the main point is if the effort needed for an attack is less then the gain of the attack. Even an "average user" might have crypto wallets or precious twitter accounts. Sometimes the gain of an attack is also not that obvious, like when a seemingly unimportant target is hacked as the initial step in a larger delivery chain attack against a more precious and better protected target.

For some examples of successful attacks see

  • My SIM swap attack: How I almost lost $71K, and how to prevent it
  • Here's how I survived a SIM swap attack after T-Mobile failed me - twice
  • SIM swap horror story: I've lost decades of data and Google won't lift a finger

Like many things, there is a tiny bit of truth in there, but overall it is a non-issue in practice and incidents are reported/perceived totally out of perspective.
Most stuff, including every new system that comes up every few months and that completely obsoletes everything else is usually based on personal financial interests, dogma, belief, and snake oil. So, recently, SMS-TAN was obsoleted. And the world didn't stop.

How dare I say it's a non-issue? There's some very real security breaches!

First of all, it's two factor authentication. Which means that any amount of TANs sent in the SMS is completely worthless if the mark hasn't already given away their password or such (which is usually the first factor).
Without providing the first factor, you do not even get to trigger the SMS to be sent. If the legitimate account owner triggered it, then he is currently in the process of logging in, i.e. he has a TLS connection going. The TAN won't work for anything but for the action it was triggered for either, so it's not really useful for much.

You eavesdrop my SMS? Well go ahead. What are you going to do? Unless you also have a gun so you can force me to step away from the keyboard, or you can spoof my IP address and have subverted TLS so much that you can successfully take over the connection (really, WTF? who do we defend against in this threat model?), there is not much you can do. I mean, there's reasonable things to expect, and unreasonable things. Do I need to defend against the possibility of a 2km large meteor hitting my house? If someone can take over my TLS connection, then I have more serious problems than SMS being interceptable.

Unless of course it was you who initiated the SMS-TAN in the first place, which means you must already know my password.

So a reddit sysadmin gave away his admin password or had such a pathetically bad password that it was easy to social-engineer. Or, something else that is outright face-palm scary, whatever. Took a girl he met in the bar the night before to his workplace to impress her, logged in, and walked away? Something the like?
Wow, clearly the fact that SMS can be intercepted was the problem!

SMS 2FA is the same as every other 2FA. It is a little extra hurdle that an attacker has to take, once they have the first factor. It's not much, but it's better than nothing. For the casual attacker on a random target, that little extra makes the difference between "doable" and "not doable". For example, you may get to know my Google password by chance, but you do not know my phone number (or where I even live). So, technical difficulties aside, how are you going to intercept my SMS at all?

Will 2FA stop a targetted attack by a determined attacker? Well no, it probably won't. But what will? I can always tie your girlfriend to a chair and have you watch me cut off fingers until you perform the authentication. Make it five factor authentication if you will, it won't take more than two or three fingers.

On the basis that SMS-TAN is insecure, my bank replaced TAN via SMS with a totally insecure pair of custom-made apps that will allow a transaction to be initiated, and confirmed, without ever a password or such being entered. Android's biometry API telling it "yeah, OK" is enough. It's been demonstrated that facial recognition is easy to trick.
So yeah, this is definitively so much better and more secure than having to enter a password over TLS (which is stored in Keepass) and to receive a TAN via SMS, which is worthless to anyone else.

The simple truth is, sending SMS-TAN costs money, and that stupid little app doesn't...


"Should I worry?" is not a technical question-- you can worry about anything you want. For Information Security purposes it is more helpful to consider specific threats, balancing their probability and risk against cost and inconvenience.

A different question you could ask is whether SMS 2FA is sufficient mitigation against criminal teams working on mass harvesting of credentials (and, for example, posting them for sale on the dark net). The answer to that is-- yeah, it's pretty good. Even if they were able to obtain a 2FA SMS code, it would not have any resale value since it is only good for a few minutes. So in terms of criminal networks reselling credentials, it is a decent mitigation. That is one kind of threat.

Another kind of threat is a criminal team or malicious user targeting you as an individual and in real time. In that scenario, SMS is completely inadequate, for reasons that I think you already understand. It is much too easy to get that code if they have the necessary resources.

That being said, NIST, FFIEC, PCI, ISO-27001, and other forms of security regulation/compliance/guidance are all moving away from SMS 2FA in favor of other options that are becoming more available as the technology evolves. But the public will take time to catch up. Heck, 90% of gmail users don't use any 2FA, let alone a securID token! That is why SMS two factor authentication isn't perfect, but you should still use it..