It’s worth pointing out that often LOA forms ask for a PIN, usually the same PIN as would be required to check voicemail. A better telecom company might make the PIN something harder to remember but enforcing such things would also make it harder to switch carriers, particularly if it replaced today’s standard forms of ID checks.
It’s better to assume that until phone numbers can be locked and unlocked the way domains can, with a random authorization code only accessible by real offline 2FA (though not all domain providers require it), and with the option of completely encrypted end-to-end texting (RCS?), well, then SMS won’t really be all that secure.
My reading of this article suggests that the PIN requirement for number porting is bypassed in this forwarding scenario, since this method is claimed to be distinct from simjacking. That is, the number hasn't been ported by the FCC's guidelines, although I didn't glean exactly how that's happening by these retail providers.
SMS routing and number porting are different things, as the voice and SMS operate independently. I headed Engineering for a company that allowed you to SMS enable your landline or toll-free number, and our automated flow for non-toll-free landlines required receiving a code via telephone call (to avoid the situation of compromised SMS routing). We didn't support numbers that were not in those two buckets, i.e. mobile numbers (not allowed by carriers) as well as "virtual" numbers like Google voice, Twilio, etc. (possibility for abuse and/or no way to properly validate ownership). OP's issue is purely the fault of Sakari for having terrible process.
The process of changing the routing is pretty simple. It's a matter of being a trusted actor and having the ability to submit changes in routing for SMS to a central provider that maintains and propagates this info.
Thanks. So, as with simjacking, a bad actor, e.g. an employee at a company with poor internal controls, can sell (or inadvertently give) access to anyone's 2FA codes.
It’s better to assume that until phone numbers can be locked and unlocked the way domains can, with a random authorization code only accessible by real offline 2FA (though not all domain providers require it), and with the option of completely encrypted end-to-end texting (RCS?), well, then SMS won’t really be all that secure.