It is but only if you are targeted. I completely disagree with people who say it’s insecure because most attacks are remote and in bulk. Which your password they can login from any browser but are stopped by the SMS code.

For the SMS code they can use mostly automated social engineering to trick a certain percentage into giving it up.

However while A SIM attack may be easy enough for a targeted individual, I don’t think it scales: they have to do work that only helps with one user. It’s too “expensive” compared to automated social engineering against a million vulnerable users

Getting a replacement SIM from the phone company is often shockingly easy, just a tiny bit of social engineering. And then you have access to the number and everything that 2FA “protects”

Veritasium did a great video on it. Anything I can say about it will be 10x worse than that video.

It’s all just a big “in theory” really. It’s “insecure” in that if someone knows the telco you are with, and the telco that you’re with doesn’t follow procedures to verify that a caller is who they say they are, you could have someone else steal your phone number by getting a replacement sim card sent to them.

In reality it’s nothing to worry about. Like…at all. Every telco I’ve been with sends you a sms to confirm that you requested a new SIM card, and that’s after they’ve confirmed that you are who you say you are via sending you a code on your phone number or email.

The most common way is basically calling up your phone company and pretending to be you saying you needed to switch phones

But also beyond just that the networks that route calls and texts globally are not very secure… and it’s not as hard as it should be to get access to it.