1. Is there any carrier provider that allowed you to change your sim card or port to another device via phone call only?
Depends on carrier provider you use. In my country, such things must be done on one of their branch.
2. If this case happens, can we blame our carrier provider on this or take some legal actions?
and what more tips or advice you can give to avoid this kind of attack.
Depends on their terms and condition & your country's law. But most sue cases i've seen were won by the provider (either they got away or only pay minor amount of plaintiff losses).
But there are some website that doesn't support google authenticator, that's the bad thing about that.
In first place, no one should deal with services which don't have hardware/software token 2FA when it's about financial.