To be vulnerable to the 25 cent charge, you have to make a phone call. Why is anyone setting up a bot to make huge number of phone calls? The phone system is meant for people to make phone calls to other people.
So the worry is that some fraudster would set up numerous AWS accounts with a number for 2FA which AWS would call, and then they'd ding them for the 25 cent charge?
If actually a problem, having the charge go to charity rather than the recipient would eliminate any monetary incentive. I suppose one is left with someone who has a grudge against AWS trying to bankrupt them 25 cents at a time...
