Well… it’s not necessarily a good idea to do 2FA with SMS. Additionally, the codes sent by SMS are usually very time-sensitive, like 5 minutes.
And it means someone has to have compromised both your computer and your SMS in order to defeat the 2FA. Which doesn’t make it impossible. But it’s not trivial to coordinate those things.
But, to add, sim swap attacks are a known issue and anything of value becomes a target. The main issue is that retail employees in 'authorized reseller' locations are allowed to make changes to accounts with the PIN of the account holder, but that is often easy to guess or is easy to figure out by anyone that does enough digging into someone's life.
https://youtu.be/caVEiitI2vg?t=145 (tldr he got cold called to set up 'extra security', gave the attacker a PIN number, and the attacker used that to impersonate them within a T-Mobile store and swap the sim card from the phone into a new phone, thus receiving SMS 2fa codes for their accounts).
On the level of individual accounts, SMS has proven to be vulnerable to compromise. These attacks are pretty labor-intensive though. On the level of an app or service, SMS 2FA is still a big net gain in blocking account compromise though. Individual users, especially anyone who is at a particular risk for targeted attacks, would be wise to seek out more secure solutions.
MITM isn’t common, but the big problem with SMS for 2FA is that mobile numbers are portable. If your number gets ported without your consent then your 2FA codes gets sent to a device you don’t control.[1] NIST stopped recommending SMS 2FA half a decade ago for this reason.[2]
Most companies suck at security. Most users suck at security. Convenience > Security. It is sad that SMS as 2FA account recovery actually adds an attack vector. It is less bad as an out-of-band check if you have a password authentication from a known and finger printed computer.
because SMS already has near-universal adoption. As much as I love my yubikey I don't know anyone (in the real, not HERE) who uses one for a personal account.
And it means someone has to have compromised both your computer and your SMS in order to defeat the 2FA. Which doesn’t make it impossible. But it’s not trivial to coordinate those things.