I'm pretty sure you just have to convince a salesperson that you "lost your phone" and get the same number reassigned to a new sim/device. It's the number that's used for SMS based auth, not the sim itself. Social engineering is often a weaker link than hacking or physical theft.