The security measures described are all possible, for sure. Ideally, the system should be able to function only on SMS commands, since many users will not have a mailing address or second device. Still, secondary security measures can be implemented, such as a pin number.
Can't a PIN be intercepted by the telecom guys, or are we assuming they won't be that sophisticated?