Developer Justin Williams has a frightening story about how someone got into his PayPal account and withdrew a couple hundred bucks, even though he had two-factor authentication enabled:
I instantly called AT&T’s customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key). The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.
Once the intruder found someone who didn’t require my AT&T security passcode the intruder had the AT&T call center rep switch my number from my iPhone’s SIM card / IMEI to his/her burner phone.
Security systems are only as strong as the people enforcing them. Two-factor authentication adds a lot more security, but if someone can compromise your phone and receive texts, then the game’s over. Authentication apps like Authy, Google Authenticator, and 1Password offer more security, but I’m sure even they could be hacked. Training customer service reps on social engineering is critical.