Every second SMS authorization does not reach my phone. Just yesterday I couldn't log in to my GitHub from new computer, because my phone did not receive authentication code. I didn't have any bans because of that. I think that a lot of people experience similar problems, so it makes no sense to look for fraudsters, 99.9999% will be false negatives.

I implemented 2FA at a previous job and I was responsible for the production implementation working as expected. My thoughts were that uncompleted 2FA attempts are common for a number of reasons: typos, someone gets distracted, didn't have access to phone at the time, SMS sucks (either our sending side or the receiving side), etc. I didn't put much thought into it beyond that. (Should I?)

I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.

I do not know but I am given a code via SMS for each operation, and each SMS costs more than what a regular SMS costs like, so the bank often deducts quite a lot of money from me for "SMS fee".

I assume it shows up as a hAcKErS sToPpEd figure in a quarterly report where they pat themselves on the back for it along with CAPTCHA hassling, blocking browsers that are too secure, network address bans, popups about "passkeys", forced password changes practically every login, etc. If they had any sense they wouldn't be pushing this nonconsensual trash to begin with.