Worth noting that this is just for US and for prepaid SIMs, from their paper
“We examined the types of authentication mechanisms in
place for such requests at 5 U.S. prepaid carriers—–AT&T,
T-Mobile, Tracfone, US Mobile, and Verizon Wireless”.
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily.
As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.
These 5 carriers were studied, but where's the evidence that any other carrier is any better (or that you're any better off as a post paid customer of AT&T, T-Mobile or Verizon)?
MetroPCS (prepaid MVNO now something like a subsidiary of TMo) required the 8-digit PIN on the account in order to change IMEIs. A bot would take down all the info, then if/when it was to a phone you'd never used on their network before, you got put on hold to wait to talk to a human and provide your PIN and new IMEI all over again. Then you'd hang up, power off, and move your SIM. But that was ~18 months ago, before it became "Metro by T-Mobile", so I don't know.
It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily. As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.