Maybe what is needed is regulation that makes the service provider liable (with no option to disclaim it) for all damages suffered by the victim if the provider gives away their phone number to an attacker.