I’m not sure if they’d need to clone your number? The right emulator would enable you to install Freetrade on just about anything I would think.
I don’t know if that’s really a second factor in this context, let’s assume Facebook is breached and all emails and passwords are leaked or sold, as is how most hacks of this ilk happen. Now the attacker has millions of user details including email addresses and passwords and a large majority of those users will be using the same password across multiple platforms.
Next up email addresses are compromised, and you can either go on from there and categorise/target accounts, or leak/sell those details onward’s to who knows as well.
It doesn’t take long before an attacker has a list of compromised email accounts all with Freetrade accounts, bank accounts, other accounts etc. And then factor in that compromised account to support an attack on X or Freetrade for example. This is business as usual for lots of online criminals these days, and I’m sure there’s a myriad of other ways one could compromise an account.
Most banking/finance/crypto apps have the security Freetrade has now, and more, 2FA. It’s just another layer of defence and it would be an option, if you don’t want to enable it you don’t have to.