When unauthorized transfers appear in a bank account, consumers are often told:

“The login was authenticated.”
“A verification code was sent.”
“Multi-factor authentication was completed.”

Those statements assume the phone number receiving the code still belonged to the customer.

Sometimes, it didn’t.

What a SIM Swap Is

A SIM swap occurs when a fraudster convinces a mobile carrier to transfer a victim’s phone number to a SIM card under the fraudster’s control.

This can happen through:

  • Social engineering of carrier employees

  • Compromised carrier accounts

  • Insider assistance

  • Stolen identity information

Once the number is transferred, the victim’s phone loses service.

The fraudster’s phone begins receiving:

  • Text messages

  • Calls

  • One-time passcodes

  • Password reset links

The number looks the same in every system.

But control has changed.

Step 1: Account Recovery Begins

With control of the phone number, a fraudster can initiate password resets for:

  • Online banking

  • Payment apps

  • Email accounts

  • Financial platforms

If the bank uses SMS-based verification, the one-time code goes directly to the fraudster.

From the system’s perspective, authentication succeeded.

Step 2: Email Control Often Follows

In many cases, the fraudster resets the victim’s email password first.

Once email access is obtained, additional password resets become easier.

The attacker may then:

  • Change account contact information

  • Disable alerts

  • Add new payees

  • Increase transfer limits

  • Initiate transfers

The customer may not even see the alerts.

Step 3: The Bank Log Shows “Successful MFA”

When the fraud is reported, banks often point to:

  • Verified login

  • One-time passcode confirmation

  • Device authentication

  • Multi-factor completion

Technically, those steps occurred.

But multi-factor authentication only proves that someone controlled the second factor.

If the phone number itself was hijacked, the second factor no longer belongs to the customer.

Authentication succeeded.

Authorization did not.

Why SMS-Based MFA Is Vulnerable

Cybersecurity agencies, including federal authorities, have warned that SMS-based authentication carries known risks because phone numbers can be transferred or reassigned.

Banks are aware of SIM swap fraud.

Telecom carriers are aware of SIM swap fraud.

It is a documented, ongoing problem.

Yet when disputes arise, institutions sometimes treat successful SMS verification as strong proof of authorization.

That assumption deserves scrutiny.

The Legal Question

Under federal law governing unauthorized electronic transfers, the key issue is not:

Was the correct code entered?

The issue is:

Did the consumer authorize the transfer?

If the authentication process was compromised before the login occurred, the presence of a one-time code does not automatically answer that question.

Authentication logs show a process was completed.

They do not show who controlled the phone number at the time.

The Bottom Line

SIM swap fraud is real.

It involves transferring control of a phone number — not hacking the bank directly.

If your denial relies primarily on:

“Multi-factor authentication was successful.”

It is reasonable to ask:

Who controlled the phone number when that code was sent?

Because authentication only works if the second factor truly belongs to the customer.

And that distinction matters.

To explore other documented bank hacking mechanisms, visit:

👉 How It Happens: Bank Hacking & Unauthorized Transfers

Martian SIM Card Stealer

Michael F. Cardoza, Esq.
Michael F. Cardoza, Esq.
Connect with me
U.S. Marine & Consumer Financial Protection Attorney helping victims of ID theft and Credit Reporting errors.