My reading of this article suggests that the PIN requirement for number porting is bypassed in this forwarding scenario, since this method is claimed to be distinct from simjacking. That is, the number hasn't been ported by the FCC's guidelines, although I didn't glean exactly how that's happening by these retail providers.
SMS routing and number porting are different things, as the voice and SMS operate independently. I headed Engineering for a company that allowed you to SMS enable your landline or toll-free number, and our automated flow for non-toll-free landlines required receiving a code via telephone call (to avoid the situation of compromised SMS routing). We didn't support numbers that were not in those two buckets, i.e. mobile numbers (not allowed by carriers) as well as "virtual" numbers like Google voice, Twilio, etc. (possibility for abuse and/or no way to properly validate ownership). OP's issue is purely the fault of Sakari for having terrible process.
The process of changing the routing is pretty simple. It's a matter of being a trusted actor and having the ability to submit changes in routing for SMS to a central provider that maintains and propagates this info.
Thanks. So, as with simjacking, a bad actor, e.g. an employee at a company with poor internal controls, can sell (or inadvertently give) access to anyone's 2FA codes.
