A "sim hijacking" attack is where an attacker calls your phone company and pretends to be you. They claim to have lost their phone, and get a new sim card issued to them with your phone number. when they put the sim in their phone, the duo authentication message goes to their phone instead of yours.

any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.