For me the main takeaway from the article is that the robbers have become sophisticated enough to perform phishing attacks to get iCloud credentials.

Also, the author says using Authy is a good alternative as it provides encrypted backup, but account authentication is via OTP to the registered phone number, so it brings back to the same problem. Is there other alternatives to this?

I don’t see how it’s sophisticated. Seems like an obvious method to get access to someone’s login info, and simply enabling 2FA (non SMS preferably), and disabling mobile service would have been the common sense protocol to prevent all of this.

SMS 2FA is always weaker than TOTP, as are touchID and faceID. But you pay for convenience. And sometimes users aren’t given the option for TOTP, which is ridiculous in this day and age.

Putting the sim in another phone is a nasty trick. Seems to get around 2fa.

If what 2fa is protecting is more important than your phone, I think a SIM PIN is a good idea.

The problem with a SIM PIN is that the phone can no longer get data service if rebooted unless the PIN is provided, so Find My iPhone stops working. I once lost a phone like that.

As someone who never owned an iPhone and hasn't used a SIM without a PIN ever (18 years now?) this is quite an interesting angle I'd never thought of.