Re: Roaming
It has only to do with roaming in the sense that your home operator has an STP (signaling transfer point) that can receive MAP messages from anybody.
The SMS forwarding in SS7 runs roughly like that: the attacker claims to be another operator and says that you are currently in his network (update location). When then the SMS comes with the pw, it is delivered to the SMSC of the partner (which the attacker conveniently set to his own server).
If no special care is taken e.g. SMS home routing, partner whitelist, roaming restriction check etc, then well, the SMS gets delivered, but not to you......So even if you have a subscription which is not allowed to roam, the STP at the edge would not necessarily know that and block this kind of request.....
BTW roughly same approach also works for 4G/diameter