The services implementing SMS 2FA should be held responsible, not the service offering SMS.