It could be done remotely but only if the store had signed off that ID had been viewed and the port confirmed in person. Of course this could be gamed but an employee would need to put their name on the line to say they had met the person and viewed the ID
We have a <major us carrier> rep (as a business customer) and he will port our lines and change SIMs for me based on an email. However I noticed the last time I initiated one of these requests there was a confirmation step that involved an email sent to me with a URL I had to click to approve. From memory I don't believe that URL needed authentication so the email was a bearer instrument. An attacker would need to both fake my outgoing email (easy) and also intercept incoming email (not so easy). There was also a confirmation email sent advising that the request had been approved and processed.
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
