Yes. There's nothing special about a mobile phone number when it comes to SMS delivery. The underlying infrastructure company given in the article, Bandwidth, provides phone number provisioning and bulk service for Google's Voice product. On-net (one number hosted by Bandwidth to another number hosted by Bandwidth) might be slightly more of a hurdle to intercept or redirect but off-net is fairly trivial.
Heck, even with "port lock" enabled on a Google Voice number, that is the barest of security against an attacker who has any kind of access better than "retail store employee." Working for a telco with access to our back-end port system, access several other people had, I could forcibly acquire a number by simply checking a box that said I had verified a written LOA even if the losing carrier responded with code 6P ("port-out protection enabled").
So, yes, you're likely sitting in a security-by-obscurity, or at least security-by-slightly-more-difficult-than-someone-else, situation.
"Yes. There's nothing special about a mobile phone number when it comes to SMS delivery."
This is false.
"Mobile" numbers - numbers that are classified as belonging to an actual mobile carrier - are indeed different than non-mobile numbers.
For instance, you cannot send SMS from a short-code to a non-mobile number. Which means, your twilio number (which is not a mobile number) cannot receive 2FA (or any other SMS) from the 5-digit "short code" numbers that gmail (and most banks, etc.) use for new account verification, etc.
Non mobile numbers are, in many ways, second class citizens in the mobile-operator ecosystem.
Short code delivery doesn’t depend on whether a number is assigned to a mobile endpoint, only if the owning carrier has an agreement to exchange messages with the short code provider. Google Voice can handle most short codes, as could Bandwidth.com’s old “demo” retail service, ring.to. For example, send the word “help” to 468311, the short code message service a lot of public agencies use for alerts, from a Google Voice number and you’ll get a response.
Any number can be provisioned at an SMSC, even toll-free numbers these days. But mobile providers—and the associated short code entities—are loathe to peer with many VoIP carriers. Partially for competitive reasons, partially because many short codes are premium billing numbers.
You’re right about non-mobile numbers being second class, but that’s largely because companies filter them out because “fraud,” which is also suspicious reasoning. I can get a hundred “mobile” numbers within a few minutes, rather inexpensively.
It would be useful to understand the flow of an SMS from a source to a Google voice number. While you can't port a Google voice number, it seems like if you can intercept an SMS from a source before it gets to Google then this technique will work.
A useful strategy to help against this in any case is to use a different email address for every online service. Hackers generally can't initiate an account password reset if they don't know the account.
Also if you use a different phone number for account security than your public one then it's a lot harder for them to know what SMS to intercept. Security by obscurity sucks but in this world it may be your only practical choice.
You absolutely can port a Google Voice number. End-user subscriber numbers must be portable per FCC rules. Google, operating services provided by Bandwidth.com (mentioned in the article), does enable port-protection by default but this is easy to bypass by an operator who, like in the article, checks the box that says something like "I have a valid written LOA, complete the port as an exception." This has legitimate uses (some losing providers are very ruthless about not following the rules and letting customers move numbers) but unscrupulous or lazy operators will check the box and move on.
Heck, even with "port lock" enabled on a Google Voice number, that is the barest of security against an attacker who has any kind of access better than "retail store employee." Working for a telco with access to our back-end port system, access several other people had, I could forcibly acquire a number by simply checking a box that said I had verified a written LOA even if the losing carrier responded with code 6P ("port-out protection enabled").
So, yes, you're likely sitting in a security-by-obscurity, or at least security-by-slightly-more-difficult-than-someone-else, situation.