[roganartu]

The SMS interception via social engineering of telecom support staff, as others have pointed out, seems most likely, but consider another approach: an app on the users phone with message read permissions. Most people are not diligent enough to perform an audit of the permissions requested by every app they install and I could also believe a determined attacker might install an app on an unattended and unlocked phone given the opportunity.

[saagarjha]

Of course, this only works on Android, and the user has to have given explicit permission for this.

[ksec]

Most of these so called Social Engineering of your Sim happens in US. In most other places, your are required some form of proof before you can get or alter any of your personal information as well as Sim card.