Recycled numbers inherit historical trust, while eSIMs let attackers provision and discard phone identities quickly. Together, they let fraudsters move faster than reputation systems can react. The result is that SMS-based controls can approve a transaction even when the current user has no legitimate ownership of the number.
Why This Matters for Security Teams
Recycled numbers and eSIM abuse matter because they weaken the trust assumptions behind phone-based recovery, step-up authentication, and transaction approval. A number that once belonged to a legitimate user may later be reassigned, while an eSIM can be provisioned quickly enough to outpace manual review. That means the security control is often validating possession of a phone number, not possession of the original account holder’s identity.
This creates a practical gap between fraud prevention and identity assurance. Teams that still treat SMS as a reliable ownership signal may miss that number reputation, telecom reassignment, and device enrollment are separate events. The right control design is closer to risk scoring than simple verification, with stronger checks for high-value changes and recovery flows. NIST guidance on control design, including the NIST SP 800-53 Rev 5 Security and Privacy Controls, is useful here because it pushes teams toward layered authentication and recovery safeguards rather than single-channel trust. In practice, many security teams encounter the weakness only after account recovery abuse or SIM-swap fraud has already produced a successful takeover.
How It Works in Practice
Recycled numbers become dangerous when an identity provider, help desk, or fraud engine continues to trust a phone number after carrier reassignment. If a service uses that number for password reset, one-time passcodes, or transaction approval, the new holder may inherit access paths that were meant for the prior subscriber. eSIM abuse adds speed and scale to the problem because attackers can activate, rotate, or abandon identities with minimal friction, especially when the workflow depends on lightweight telecom checks.
Operationally, the risk usually appears in three places: account recovery, step-up authentication, and high-risk transaction approval. Security teams should evaluate whether a phone number is being used as:
- a proof of ongoing ownership,
- a recovery factor after primary credential loss, or
- a fraud signal that should be corroborated with device, session, and behavioural context.
That distinction matters. SMS can still have utility as a low-friction signal, but it should not carry the same assurance as phishing-resistant authentication or a verified device binding. Current guidance suggests pairing number-based checks with stronger signals such as device reputation, channel age, and step-up verification for sensitive actions. Where identity assurance is central, the NIST Cybersecurity Framework 2.0 helps teams organise the response across identify, protect, detect, and respond functions, rather than treating telecom status as a standalone control.
These controls tend to break down when legacy recovery paths, outsourced call centres, and high-volume consumer onboarding all depend on SMS as the easiest default factor.
Common Variations and Edge Cases
Tighter phone-based controls often increase user friction and support overhead, requiring organisations to balance conversion and recovery speed against takeover risk. That tradeoff becomes sharper in industries where rapid account recovery is expected, such as fintech, marketplaces, and mobile-first consumer services.
There is no universal standard for this yet, but best practice is evolving toward treating phone numbers as mutable contact data rather than stable identity proof. A recycled number may still be useful for communication, while an eSIM-enabled device may be a legitimate customer asset. The issue is not the technology itself, but the assumption that either one proves continuity of identity. For higher-risk journeys, teams should shift toward layered assurance, including device binding, transaction-specific approval, and fraud analytics that do not rely on telecom ownership alone. The OWASP Non-Human Identity Top 10 is not a direct telecom control guide, but it is relevant where automated account recovery, bots, or agentic workflows can amplify weak identity checks and accelerate abuse patterns.
Edge cases also matter. Prepaid numbers, roaming users, family-shared devices, and enterprise-managed eSIM profiles can all create false positives if the control is too rigid. The practical goal is not to block every number change, but to detect when a number change, SIM reissue, or high-risk login is inconsistent with the rest of the user’s session history.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity assurance must account for mutable phone ownership and recovery risk. |
| NIST SP 800-63 | Digital identity guidance informs whether SMS can serve as an authenticating factor. | |
| OWASP Non-Human Identity Top 10 | NHI-6 | Automated recovery and abuse paths can be amplified by unmanaged machine-driven identity flows. |
| NIST AI RMF | Risk management should cover how fraud models and decisioning use telecom trust signals. | |
| MITRE ATLAS | AML.TA0001 | Adversaries can exploit identity workflows with automated, adaptive fraud techniques. |
Apply stronger lifecycle and recovery controls where automation can exploit weak identity assumptions.