This highlights why a one time code, sent via SMS, does not in itself constitute SCA!
Here is a scan of a Times article that appeared in the Money section on Saturday 14th December 2019.
A scammer was able to steal a person's mobile phone number (via a PAC) and then emptied their bank account.
Here is an excerpt from the EBA Opinion on SCA elements under PSD2:
25. As stated in the EBA Opinion on the implementation of the RTS (paragraph 35), a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’. Evidence could, in this context, be provided through the generation of a one-time password (OTP), whether generated by a piece of software or by hardware, such as a token, text message (SMS) or push notification. In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’.
So in this case, as it is the SIM card that is the possession element, it is not possible for SCA to be performed on a new SIM simply by transferring a mobile number to it.
Also, here is Article 24 of the RTS on SCC and SCA
Article 24 Association with the payment service user
1.Payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.
2.For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
(a) the association of the payment service user's identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider's responsibility comprising at least the payment service provider's premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;
(b) the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.
So in order for a SIM card to be used to perform SCA, the SIM must be associated to the PSU (i.e. the account/card holder). If this association is performed remotely (i.e. not in a bank branch), SCA must be performed on the association.
In the circumstances (such as described in the article) where the payer challenges a payment, the ASPSP must prove to the payer that the payment was authorised. In order to prove that a payment was authorised, the ASPSP therefore must not only provide the PSU with a copy of the SCA proof with respect to the disputed payment, they also need to provide proof of the initial association.
I think this will also be a challenge for Apple Pay! In order for Apple Pay to be deemed as SCA compliant, the ASPSP must provide proof of association between PSU and their iPhone. If associated remotely, this association must involve SCA.