Well, all of the 3GPP mobile networks switch to a different logic for emergency calls. In the GSM case all emergency calls (112 is hardcoded in the specification and there is a provision for both USIM and the network to add more numbers that behave that way) use different RR layer protocol that deals in physical addresses (ie. IMEI) and the whole process is streamlined. The MS that initiates emergency call will just uplink an emergency RACH frame to anything that it is synchronized with and the network will respond by allocating traffic channel for that, there is no kind of GSM signaling nonsense with multiple packets involved in that.

What will it do if there's no spare bandwidth for an extra channel? Will it kill an existing non-emergency call to handle it?

Yes, or at least that was quoted to me to be the case several years ago when I was working in that domain.

> How about an easier and better solution

Such as?

Difficulty: nothing that requires an end-user to understand PKI; and also would not impede a lawful (and for the purposes of this conversation: ethically necessary) police wiretap.

> nothing that requires an end-user to understand PKI

None is needed, how hard it’s for a bank handing over physical tokens to the customers when they open an account or mailing them to existing ones?

- You can loose them? Sure, just like any smartphone or even government ID, but the process after to replace is what will make you careful next time.

- They can be stolen? Same as above

- They can be used in banks or even for online banking, just tap it with your NFC enabled phone (yubico is an example)

- They can be used by someone else? Sure, just like your phone.

- However, no sim-swap attacks or similar, so in theory it’s better given no negligence from the users which is always the biggest risk anyway, but overall it’s an improvement.

>and also would not impede a lawful (and for the purposes of this conversation: ethically necessary) police wiretap.

Why would the police wiretap a banking verification, they can wiretap the transaction at the banks if they are legally authorized.

Hmm, imagine if banks already gave you NFC capable cards and our phones... that would make the process a lot easier.

(yes, i'm talking about every modern..ish credit and debit card)

> stop using a broken protocol and enforcing the use of phone numbers as an identification for critical information or banking, there are better

There are no better ways for the average human (who doesn't have a clue what 2FA means but can understand being sent an SMS and using the code in it to access an account).

Authenticator tokens are absolutely passe right now, there probably is single-digit percentages of people who don’t have at least one Authenticator code on their phone.

And for the handful of people who just don’t have a phone… RSA/Duo tokens exist for a reason.

SMS allows a whole class of additional attacks, it’s a terrible system and should be removed.

That's almost the case in Europe thanks to PSD2, for instance banks cannot use only SMS tokens anymore.

The second factor is typically a mobile app that prompts your biometric authentication, and this obviously allows geofencing ATM withdrawals.

A mobile app running on a phone that does not receive security updates anymore (or the user not installing them) and a platform fully accessible to the NSA. I really prefer hardware tokens distributed by the bank. Even if the implementation might suck from cryptographic point of view, they are offline.

Being pragmatic you’re not going to convince every Mobile network vendor to implement a new protocol, and then have every mobile operator invest in replacing their cores to support it, all in the name of a better solution.

You don’t convince, you avoid that risk completely by not using GSM as the medium of identity verification, just regulate an identity verification mechanism for banks and such, and don’t mandate it for the users so they are free to choose or opt-out.