2FA isnt if you use a standalone 2FA app or key to authenticate.
Once they had the number and sim they were able to use the "forgot password" stuff for Twitter which would give them access to his DMs there, do the same for iCloud and then if he had anything sync'd to the cloud it would restore to that iphone, same with GMail.
Seems like that's the kind of thing that should be against the rules across the board.
So reading that, is 2FA entirely useless if they can fake authenticate it on a SIM swapped device?
If someone is determined to get your info, it seems like they'll just go ahead and get it no matter what you do.
2FA isnt if you use a standalone 2FA app or key to authenticate.
Once they had the number and sim they were able to use the "forgot password" stuff for Twitter which would give them access to his DMs there, do the same for iCloud and then if he had anything sync'd to the cloud it would restore to that iphone, same with GMail.