[3pt14159]

Depends on the attacker and target. Many of the cell towers are insecure. Even today the SS7 attack works on many of them, and phones continue to blindly trust insecure cell towers. For a tech-central place like SV, you get a pretty good return on some risky cell tower setups. Unfortunately most developers don't utilize multiple phone numbers, so a mapping between email and phone number is frequently in some semi-public database.

Of course if you have a 0day RCE its possible to get the SMS as well. Even local malware on the computer that you're entering the code into could work if you're an identified target. Many protocol downgrade attacks are possible too, though I'd wager most developers would notice the lack of HTTPS in the browser bar.

And of course social engineering the cell phone company. Though if you call you can put a flag on your account to make it harder to transfer numbers.