Seems vulnerable to phishing. The attacker already uses phishing to get account number, password and phone number; now they just have to send a fake 2Factor message and observe how the number is translated.

Even if the function is lossy, it has very little entropy. Maybe even vulnerable to brute forcing...

I agree with the other poster, Google Authenticator looks like a better solution.