Watch out: don’t lose your passwords when you sign up online
Man in the middle spoof of SMS, phone call, and security question validation? Security gets harder and harder …
If SMS is used to validate your account, then the attacker’s registration site will also use SMS to validate you. When your service provider asks the attacker for the code sent to your mobile phone, the victim is asked on their registration form to input the SMS received. Once the victim provides the SMS on the attacker’s form, absent any additional protocols, the unsuspecting user’s email or other online service account has just been hijacked.
Source: Watch out: don’t lose your passwords when you sign up online – Naked Security