If it’s somebody who put in the wrong phone number for authentication, it should stop after a while - either they will find some other way to get into their account, at which point they will probably fix it, or they will give up on their account altogether since they can’t access it.
I’m pretty sure they always do that if it’s for two-factor authentication. But maybe this is more like a recovery number in case you forget your password - I don’t think those are always verified when you enter them.
Or maybe the guy just forgot his own phone number. Several years ago, I started getting a lot of wrong number calls for a recording studio. Lots of them.
Because the studio had a phone number with a 914 area code even though they were located in Manhattan. 914 is usually associated with Westchester County. I had the same number in the 917 area code, which is one of several NYC area codes. I did a little research when I started getting all the wrong numbers and figured out what was going on. The wrong numbers continued. I told everyone that dialed me that they had the wrong area code.
Then one day my phone rings and this guy starts yelling at me, accusing me of hijacking his phone number and intercepting his calls. He was pretty worked up. So I just laughed and I’m like, “Dude, you don’t even know your own phone number. You’re giving out the number with the wrong area code. 914, man, 914.”
^I had a similar situation with an 800 number the phone company gave me for a pager. Some dude (I’ll call him Jim) had the number but lost it due to nonpayment. I began getting pages from people trying to contact Jim for business reasons. Initially I tried to help Jim, calling the people and explaining this number was now mine
Then Jim paged me and I called him. He demanded in no uncertain terms that I contact the phone company and give him back his number. I told him that wasn’t going to happen, as I’d already listed the number on business cards, the phone book, advertisements, etc. He continued to insist and even threaten me.
So, I upped my game. When people called my pager looking for Jim I began calling them back and telling them “Jim says Fuck You, asswipe” and such. The problem went away.
This and other reasons is why NIST doesn’t like 2FA for it’s really poor security. (That’s right. It is not secure!)
A big tree came down Sunday afternoon and we were without cable until Wed. afternoon. Once it was back up I saw that our “landline” (VoIP) had gotten 8 text messages informing me that the tech was scheduled, on his way, etc.
I never once told them they could text me and certainly not at that number and furthermore I couldn’t read those messages until after they restored service!