IIRC, on Darknet Diaries podcast they shared that one of the approaches is that someone comes to a location that services T-Mobile customers and has T-Mobile terminal (not necessarily a T-Mobile brand boutique shop). They come with a random request and wait for an employee to sign into the terminal and then pull it out of their hands and run away. They then run against the clock (whatever time it takes to report theft to central T-Mobile office and block the device) to perpetrate the fraud.
I guess a second factor confirmation on every modifying request would solve the issue?
I remember a that or a similar episode! And it was apparently even more intricate, the robber being only the lowest member of a whole food pyramid of criminals - after the robbery his only task was to grant remote access to someone who knew the terminal software (probably that would be the paid insider), while in some secret chatroom a third guy already started running an auction of who would get his sim swap processed while the guy who organised the whole thing was relaxing somewhere at the beach watching his percentage of the profits rolling in.
I was kind of amazed and shocked at the same time how there already seems to be an established sim-swap-as-a-service economy with specialized roles and plenty demand to warrant expansion...
I guess a second factor confirmation on every modifying request would solve the issue?