sayitintexan@jonathanmatthews @em0 Port your "trusted" phone number to a new phone through your carrier, and you can unlock the account via a text message. This is a weakness of Apple's current system. Thief could pop the SIM out of the stolen phone onto another phone. Then all they need is the password to get in thru 2FA. That is why the were sending the text message trying to phish the login.
Mika@sayitintexan Is it true people in the US rarely enable PIN code on their SIM? If it's enabled, the SIM requires PIN entry after it's removed from the phone.
@mjo Typical American doesn't know that feature exists, much less how to enable it. Long term solution here is likely e-sim ... mandatory on the latest iPhones. No idea what carrier security is present for e-sim though.