You need to steal someone's bank card, know their phone number and operator, socially engineer your way through it, execute a payment and validate it with the code received by SMS, before the victim realises either their card is missing or their SIM card no longer works? That's a stretch, and in any case that's why most banks do MFA with their app.