That assumes the attacker even has the phone number - best practice is to not display the full number, just the last 4 (xxx-xxx-1234) - so again, for the typical case, the attacker isn't going to know what number to sim swap.

SMS is bad at protecting one account, it's good at protecting 10000.

The minnow security model is bad at protecting one fish, it's good at protecting 10000.

What would you say is an advantage unique to SMS that would be lost if text messages were switched to another model? I'm asking sincerely. There aren't many people arguing in favor of SMS here, so you seem like the right person to ask.

It's pretty simple - there are people who don't have smart phones, plus people who couldn't manage to install/use a TOTP app. Something like ~10% of users probably fit in that category. So either you offer them no protection (if 2FA is optional), no use of the service (if 2FA is mandatory), or ok-but-not-great protection (if you allow SMS).

(In reality, some users don't even have SMS (no cell phone) - so automated voice calls can be offered too. Those without any phone at all...will not be considered as valid customers, in most cases.)

Yeah, but say I am an attacker doing some kind of brute force password hack, and I have a certain number of successes.

Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.

Yeah, agreed. But again I'm not arguing that SMS is the best second factor, I'm arguing that (used correctly) it's better than no second factor, which is what it's actually competing with in the real world.

Generally, I think services should offer TOTP, email, and SMS, and strongly encourage TOTP. But not offering SMS just means some segment of customers won't have a second factor at all.