No doubt that this person made a huge mistake, but...
Is this seriously a thing? A bank that uses one-factor login? Not only that, but a weak one too? This seems absolutely ridiculous. Why would anyone use such a terrible bank? Isn't the bank at least required to try to protect the customers money? It's usually not that hard to get a hold of a number belonging to someone else. Where in the world is this?
Isn't this two-factor login? Something you know (username) and something you have (phone)? There's also a good chance that the scammers had a set of leaked security questions on hand. I'm sure some banks even use SSN as an authentication factor.
No, it's not. A username is rarely a secret used for anthentication. In this case it seems the user got tricked into giving away a password reset code given over SMS. So the first factor(password) was skipped. If an SMS code and the password would have been needed then it would be 2 factors.
SSN is alsp a stupidly bad usage as an authentication factor. A lot of people have access to it, it's not unique to the service and you can't just change it whenever you want.
Is this seriously a thing? A bank that uses one-factor login? Not only that, but a weak one too? This seems absolutely ridiculous. Why would anyone use such a terrible bank? Isn't the bank at least required to try to protect the customers money? It's usually not that hard to get a hold of a number belonging to someone else. Where in the world is this?