Only the phone carrier can change the phone number, your story is far from credible, (or inaccurate)

Even if someone else had your iPhone and saw the verification number, they also have to know your AppleID's password to actually get into your account or change anything.  The authentication token by itself does not let them actually do anything - BOTH the token and password must be known to get into your account.  And, the token expires in 10 minutes once sent, so they have a very limited window of opportunity to login as you and alter your account information.

You say you did not have your iPhone with you at the time you tried to set up the new device.  So, who did have it or have access to it?  Did that person know your password, or were you foolish enough to use a weak or easily guessed password?

Your post implies that someone else already had your "other" device and also knew or easily guessed your AppleID password as that would be the only way they could log in as you and alter your Account information.

Apple has no use for phone numbers as part of their security process. Phone numbers are not secure.

raveenjain wrote:

 

• I bought an Apple Ipad Pro at the Apple Store and I logged in with my apple id at the store.

Why would you sign in to your private account in public place?

raveenjain wrote:

 

• It is very surprising that the hacking happened from an Apple Store, which would mean their network is compromised.

<Personal Information Edited by Host>

What makes you think their network is compromised? That "hacking" could be as easy as standing next to you or behind you, shoulder surfing while you're logging in at Apple store. The most important thing to do to protect your ID is to be extremely careful. The last line (in bold) tells me that you are not a careful type so it doesn't matter if your account is linked to a phone or credit card/email address. Someone will steal it if you're not careful.

Actually, Two Step Verification has both Trusted Devices and Trusted Phone Numbers for the verification process. You have the option to send the verification code to one of your devices directly, or via SMS text to one of your Trusted Phone numbers:

Cheers,

GB

Yep, but Apple would never ask you for one during the verification process.

In fact, 2FA's security is entirely self-serve. No Apple involvement whatsoever, other then telling you that.

2SV still uses a Support PIN and such for verification, but not 2FA.

So, the OPs accounting of things doesn't hold up. He would not have had a conversation about his identity with Apple if he is using 2FA.

The only way that a new number can be added as a Trusted Number is by signing into the Apple ID, which means that the person would have to know your password, and would also have to have access to one of you existing Trusted Devices or to the phones that used the Trusted Numbers.....

You cannot change or add anything to Two Step without the password and the verification code. So, before a new number could be added, they would have to know your Apple ID password, and have a way to get the verification code.

And the Trusted Devices and Trusted Numbers cannot be used in the way you described:

• Apple ID is solely dependent on the other device which is the least secure device as it can be stolen, lost or accessed by anybody when left alone for a few moments

Since you are the person who chooses which trusted device to send the verification code to, if your device was lost, stolen, or not in your possession, you would not select that one to receive the second part of the Two Step. If you had no other device or number to send it to, you would click on Device not Available, and then you would have to put in your Recovery Key. So, at any time, you can select that as the second step.

If you are able to sign into your Apple ID, change the password immediately.

Best of luck,

GB

This article says that both Trusted Devices and Trusted Phone Numbers are used for Two Factor as they are for Two Step:

Two-factor authentication for Apple ID

Two-factor authentication is an extra layer of security for your Apple ID designed to ensure that you're the only person who can access your account, even if someone knows your password.

How it works

With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information—your password and the six-digit verification code that's automatically displayed on your trusted devices. By entering the code, you're verifying that you trust the new device. For example, if you have an iPhone and are signing into your account for the first time on a newly purchased Mac, you'll be prompted to enter your password and the verification code that's automatically displayed on your iPhone.

Because your password alone is no longer enough to access your account, two-factor authentication dramatically improves the security of your Apple ID and all the personal information you store with Apple.

Once signed in, you won’t be asked for a verification code on that device again unless you sign out completely, erase the device, or need to change your password for security reasons. When you sign in on the web, you can choose to trust your browser, so you won’t be asked for a verification code the next time you sign in from that computer.

Trusted devices

A trusted device is an iPhone, iPad, iPod touch, or Mac using iOS 9 or OS X El Capitan that you've already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser.

Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices.

Am I missing something?

GB

Then follow the steps in this Support Article:

And if you have access to your Apple ID, then remove the other Trusted Device, and replace it with one that you actually have.

Regain access to your Apple ID with two-factor authentication account recovery - Apple Support

GB

No. They both use trusted devices and verification codes by phone.

2FA has no recovery key. Just trusted devices, phone devices for codes and a password.

2SV has that you-must-always-possess-2-of-these-3-things aspect to it. Lose your recovery key, (very easy for users to do), and then forget your password... you're done. No access for you. You need your trusted device AND your recovery key to create a new password. 2FA is deemed to be "easier".

2FA does away with the recovery key. If you forget your password, you must "recover your account"