Old news
Here in Blighty, the BBC have reported several instances of exactly this hack over (from memory) at least two or three years. I think they also reported that one of our banks had stopped using SMS 2FA in response to documented cases of their users' phone numbers being hijacked.
If 2FA is to work, it needs to be cryptographically secured. End to end, not just in components where it's easy.
And to pre-empt the next hack, if a 2FA token is issued by the same Authority as the an https session where the transaction originated, we're staring at another single-point-of-failure.