Hmm, I kind of disagree with a lot of people here.
The Physical Card is delivered through the post.
The PIN is send via a totally different channel; SMS.
This makes sense from a security standpoint. If they post your pin to you; realistically it will need to come around the same time as your card otherwise the card will be useless for ages. Now, if your post was intercepted (for whatever reason; dodgy postman, neighbours, delivered wrong place) then they will in theory be able to get the two pieces of important information.
The card is useless without the pin, and the pin is useless without the card.
As such; two different methods of delivery actually supports a secure model. A postman couldn’t intercept the text, but could a card. A Hacker or whatever may be able to intercept your SMS / get it off the cloud; but they wouldn’t have the physical card.
The company I work for (can’t name them, but they are FCA regulated and part of the FTSE100) deals with a lot of sensitive information. If we are going to send something via post; we will ensure the second part (the digital key for example) is sent via a totally different medium to remain secure. While one could be intercepted, its unlikely both totally different channels would be.
As such, for all SMS’s fault its about as secure as the postman… both are insecure. But combine the two together and you got a reality secure delivery mechanism.