I understand that it's hard in the edge cases, but a port followed by account recovery within a short period of time should be enough of a red flag to immediately lock the account.

> A port followed by account recovery within a short period of time should be enough of a red flag to immediately lock the account

What happens if a legitimate customer's phone gets lost and they quickly transfer the number and reset their accounts?

I think they should do a video call verification.

If a customer loses the phone, and then ports the number instead of replacing it, and also forgets their password at the same time... yeah, I think it's fair to give them a bit of a hard time before letting them in.

Video verification sounds reasonable, as would some wait time. What's not reasonable in that situation is a self-service fully automated account recovery via SMS and e-mail verification followed by allowing withdrawals.