No, that's the problem, a hacker can clone your SIM. it's not trivial, but it's not impossibly hard, as in there are known attacks and if your fortune is protected by SMS 2fa, you'd better hope you don't draw attention from a motivated attacker. SS7 attacks and others are not theoretical.

Actually all it needs is walking into the AT&T/Verizon store with a convincing fake ID + "I lost my phone"

Or a rotten apple working at the store who is working together with the perpetrator

A hacker can perform a SIM swap attack, where they convince the operator using bribes and/or fake IDs to provide a replacement SIM card for your number.

what's the better alternative?

Physical Security Key > TOTP/Authenticator Apps > SMS 2FA

Requiring a TOTP to get into the app handling your TOTP might not be the easiest for most. A strong encryption password on Authy prevents this and you can also disable multi-device / enrollment when not needed.

If Authy wants to not be a joke, then they should end their mandatory SMS authentication method, then. I certainly am not going to trust it when there's an SMS requirement to even get in. Because I (not unreasonably) assume if you contact Authy support and can pass their SMS check, they might have some way of "giving you back access to your account" and by "you" I mean criminals posing as you.

As far as I know, and I may be wrong there, but Authy gives you access back to your account. Not to your TOTP codes which are encrypted by your Backup Password.

Once logged in, you need to enter that "second" password in order to get access to the TOTP codes and Authy will notify you of the new device connected.

A hacker doesn't need to clone your SIM, all they need is access to an SS7 line almost anywhere in the world and they can see your messages, regardless of carrier or phone. I suppose North Korea probably doesn't have access to SS7 servers, but that might just be the only one. Granted, SS7 isn't cheap or easy to get access to, but when it comes to banking fraud, the economics change.

The victim will be disconnected from the network, but there's no way in hell the first line of carrier support will detect any of this. You'll have to put your faith in the security monitoring of your carrier (the ones letting spoofed numbers in and out of the network, so good luck I guess). There's absolutely nothing you can do about this thread other than hope that your carrier is smart enough and that you're not important enough for a sophisticated fraudster to target.

As for cheaper threads, everyone who tweeted about owning a crypto exchange account with their phone number on display will probably lose their SIM at some point. SIM swapping is easy with a fake ID, and people within phone stores have been caught doing it from the inside.

SMS is insecure and often abused. Don't use it. Maybe also disable 2G on your phone while you're at it.

They can clone it, they can eavesdrop on it by having hacked your phone, they can be eavesdropping on the wireless network. But the most likely is they can dupe your carrier to port your number out