The SMS interception via social engineering of telecom support staff, as others have pointed out, seems most likely, but consider another approach: an app on the users phone with message read permissions. Most people are not diligent enough to perform an audit of the permissions requested by every app they install and I could also believe a determined attacker might install an app on an unattended and unlocked phone given the opportunity.
Most of these so called Social Engineering of your Sim happens in US. In most other places, your are required some form of proof before you can get or alter any of your personal information as well as Sim card.
I once walked into a T-mobile store, showed them my phone and claimed that the simcard is stuck and asked them to transfer it to a new simcard I brought with me. They asked for my phone number, scanned the barcode on the new simcard, done. I didn't have to provide any identity. I could have been anybody and the only trace would be the security camera in the store.
People are saying social engineering the legitimate operator, but my off-net SMS provider doesn't require any validation from the original operator. I've successfully "stolen" the SMSs from my cellphone with no validation that I was authorized to do that, never heard about it from my carrier (T-Mobile).
By taking control of your phone number or the radio network your phone connects to, or attacking the signaling network itself, to intercept information going to your phone number.
Basically, imagine every conceivable way any human or computer might at any point interact with a plaintext signaling packet designed to be passed around the world by different companies and eventually read by people. Now attack all of them. Something somewhere will give it up.
It's fairly easy to claim the general case, and indeed you're right. But the challenge is that not all attackers have infinite resources, and the ones that effectively do us small fry really can't protect against anyway, because they're already where they need to be.
So specific information on known attack paths is an interesting conversation, because part of the SMS 2FA security is the belief that while 1-off SMS 2FA attacks are possible, they generally don't scale, and so that puts a high cost on carrying out the SMS 2FA, or informs a limit on the value that can be protected by SMS 2FA.
So, good for reddit? Maybe yes. Good for your bank? Maybe not, but maybe yes, depending on the diligence of the customer, the robustness of anti-fraud measures, and the cost of fraud insurance.
Never underestimate the determination of bored Reddit trolls.
(Actually, the attackers were likely cybercriminals looking for the whole database of current users. Even with salted hashed passwords, it's trivial to find commonly used passwords and reuse the e-mail address and password to attack other accounts, such as bank accounts, paypal, amazon, facebook, gmail, etc. Each pilfered account adds up to a payday when you sell them on the black market, for things such as money laundering, account draining, and spam)
Depends on the attacker and target. Many of the cell towers are insecure. Even today the SS7 attack works on many of them, and phones continue to blindly trust insecure cell towers. For a tech-central place like SV, you get a pretty good return on some risky cell tower setups. Unfortunately most developers don't utilize multiple phone numbers, so a mapping between email and phone number is frequently in some semi-public database.
Of course if you have a 0day RCE its possible to get the SMS as well. Even local malware on the computer that you're entering the code into could work if you're an identified target. Many protocol downgrade attacks are possible too, though I'd wager most developers would notice the lack of HTTPS in the browser bar.
And of course social engineering the cell phone company. Though if you call you can put a flag on your account to make it harder to transfer numbers.
This is definitely more an edge case (and not really an intercept), but if the user has an iPhone with SMS forwarding set up (via iMessages), the "intercept" could occur by accessing the users iMessage account and waiting for the forwarded SMS to arrive.