It is but only if you are targeted. I completely disagree with people who say it’s insecure because most attacks are remote and in bulk. Which your password they can login from any browser but are stopped by the SMS code.

For the SMS code they can use mostly automated social engineering to trick a certain percentage into giving it up.

However while A SIM attack may be easy enough for a targeted individual, I don’t think it scales: they have to do work that only helps with one user. It’s too “expensive” compared to automated social engineering against a million vulnerable users