Re: Effective and ineffective
SIM swapping is not the only attack against SMS. You also have number hijacking and SS7 attacks.
If only password authentication was being used, then no SIM swap would have been needed. But if an implementation of password reset by SMS is in effect, then it no longer is a second factor. Single factor authentication by SMS is worse than password authentication. This is a perfect implementation flaw example.
In the story you linked, it does not have enough detail of the various services' I&A schemes. I cannot determine if the SMS was a true 2FA or used as a password reset mechanism.
In the US NIST had depricated SMS as 2FA over a decade ago. But for some odd reason they added it back quietly in their recommendations for 2FA.
I stand by my statement. As a true properly implemented 2FA, SMS is only slightly better than single factor password.
I resist SMS 2FA as much as possible. I have a hardware token, but few service providers support 2FA or only SMS 2FA, or some do support TOTP, only about half a dozen I use support hardware token 2FA out of nearly a thousand accounts I have.