TL;DR: Phone numbers are no longer durable identity anchors because recycled numbering, eSIM abuse, and MVNO-driven churn let fraudsters exploit account opening, authentication, and recovery flows, according to Prove Identity. Static SMS and tenure checks now create false confidence while adding friction that still misses borrowed trust.
At a glance
What this is: This piece argues that phone-based fraud now succeeds because legacy identity systems still treat phone numbers as stable ownership signals when they are increasingly recycled, virtualized, and reassigned.
Why it matters: For IAM, fraud, and identity teams, the issue is that phone signals are being used as authentication evidence even when ownership continuity has broken, which weakens account recovery, step-up authentication, and customer trust decisions.
By the numbers:
- When sampled, more than 80% of numbers available for reassignment were already recycled and susceptible to SMS-based account takeover.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Prove Identity's analysis of recycled phone number fraud and eSIM abuse
Context
Phone-based identity controls fail when they assume a number maps cleanly to a person over time. Reassignment, recycling, and software-provisioned SIMs have turned a once-stable signal into a weak proxy for trust, especially in account opening, recovery, and step-up authentication.
That problem sits squarely at the intersection of fraud prevention and identity governance. Where organisations still rely on phone tenure or SMS possession as proof of continuity, they are making access decisions on a signal whose ownership can change faster than their controls can detect.
Key questions
Q: What breaks when organisations still trust phone numbers as stable identity factors?
A: They confuse reachability with ownership. A recycled or reassigned number may still receive SMS and pass basic checks, but it no longer proves the current user is the original owner. That creates a blind spot in account opening, recovery, and step-up authentication, where fraudsters exploit borrowed trust to gain access.
Q: Why do recycled numbers and eSIM abuse increase account takeover risk?
A: Recycled numbers inherit historical trust, while eSIMs let attackers provision and discard phone identities quickly. Together, they let fraudsters move faster than reputation systems can react. The result is that SMS-based controls can approve a transaction even when the current user has no legitimate ownership of the number.
Q: How can security teams tell whether phone-based authentication is still working?
A: Look for continuity signals, not just delivery. If a number has frequent reassignment, short tenure, or a mismatch between the phone and the user’s broader identity history, the control is operating outside its intended boundary. Track false approvals and recovery abuse, not just SMS delivery success.
Q: Who is accountable when phone-based recovery fails and an account is taken over?
A: Accountability usually sits across identity, fraud, and product teams because the failure is a journey design issue, not a single control failure. Organisations should define ownership for phone-based assurance, document when SMS is acceptable, and align the policy to fraud-risk appetite and customer impact.
Technical breakdown
How recycled number fraud breaks phone ownership checks
Recycled number fraud works because the system checks reachability rather than continuity. A number can still receive SMS, pass carrier validation, and look legitimate even after reassignment to a new user. Legacy fraud stacks often evaluate tenure without tracking disconnect events, reassignment history, or ownership churn, so the control proves possession of the line, not the identity of the person using it. That gap matters most in low-friction workflows where a simple SMS response can unlock account recovery or new-account creation.
Practical implication: validate number continuity, not just reachability, before using a phone signal to approve recovery or authentication.
Why eSIM abuse changes the attack economics for fraud teams
eSIMs let attackers provision and discard phone identities in software, which reduces the cost of repeated abuse and makes reputation-based controls less effective. When a number can be rotated quickly, signal history becomes short-lived and easy to reset. That means fraud models built around stable device or SIM ownership will increasingly misread temporary, automated phone use as ordinary mobility. The operational problem is not just spoofing. It is the speed at which trust can now be manufactured and abandoned.
Practical implication: treat rapid SIM or device churn as a risk signal and feed it into step-up decisions and account recovery policy.
Where static phone policies fail in account recovery and step-up auth
Static phone policies fail when they equate SMS delivery with trust. Delivery confirms only that a message reached a line, not that the current user owns that line or that the request is legitimate. In account recovery, that distinction is critical because attackers target the moment when organisations intentionally reduce friction. Modern policy engines need to combine ownership continuity, churn, and reputation to decide whether a phone number still deserves trust in the transaction context.
Practical implication: remove SMS-only approval paths for recovery and use multi-signal policy decisions for high-risk customer journeys.
Threat narrative
Attacker objective: The attacker aims to convert temporary phone possession into durable account access, account takeover, or fraudulent onboarding approvals.
- Entry begins with a recycled or eSIM-enabled phone number that still appears valid to legacy systems.
- Escalation occurs when the attacker uses that borrowed trust to pass authentication, recovery, or account-opening checks.
- Impact follows as the fraudster takes over accounts, creates synthetic identities, or abuses step-up workflows at scale.
NHI Mgmt Group analysis
Phone number trust is now a governance problem, not just a fraud problem. Organisations have treated the phone number as a stable identity factor because it was operationally convenient, but recycled numbering and eSIM churn have broken that assumption. When a signal can be inherited, reassigned, or provisioned on demand, the control question becomes whether current ownership is provable, not whether the number is reachable. Practitioners should stop treating phone possession as a durable assurance factor.
Verification trust gap: this article illustrates the widening gap between what a phone signal appears to prove and what it actually proves. A delivered SMS is not evidence of continuity, intent, or legitimate ownership, yet many journeys still use it that way. That gap is where account recovery fraud and false approvals accumulate. Identity teams should reclassify phone-based evidence as contextual, not authoritative.
Fraud controls that depend on static thresholds will continue to miss software-defined phone abuse. The article describes exactly why pattern matching alone fails when numbers can be recycled at scale and eSIMs can be rotated instantly. This is the same operational weakness seen when identities are evaluated as snapshots rather than as lifecycle states. The practitioner conclusion is to move from fixed rules to transaction-level policy enforcement.
Where phone numbers are used for authentication, governance must extend into reassignment and recovery workflows. That means the control boundary is not just enrolment, but the full lifecycle of the phone signal across ownership changes, dormant periods, and account recovery. The identity programme should decide which flows may ever trust SMS, which need stronger step-up factors, and which should be removed from approval entirely. The conclusion is stricter journey design, not more friction everywhere.
This is one more example of borrowed trust becoming the dominant fraud pattern. Fraudsters increasingly exploit signals that were once trustworthy because they inherited reputation from a previous owner, device, or session. The same pattern affects machine and human identity programmes whenever continuity is assumed rather than verified. Teams should map every high-risk journey to the trust signal that can be borrowed most easily.
What this signals
Verification trust gap: fraud teams should now treat phone-based assurance as a dynamic risk signal rather than a durable proof of identity. The practical shift is toward continuity, churn, and ownership history, with stronger policy at the exact moments where recovery and step-up friction create the highest abuse opportunity.
The wider programme implication is that identity governance and fraud operations need a shared decision model for high-risk journeys. Where the same phone signal influences onboarding, authentication, and recovery, organisations need one policy boundary for when that signal is allowed to decide access and when it must only inform it.
For practitioners
- Implement ownership-continuity checks for phone numbers Add reassignment, disconnect, and churn signals to every high-risk phone-based journey so the system can distinguish a live line from a legitimately owned line. Use those signals before account recovery and before SMS step-up decisions.
- Remove SMS-only recovery paths Require an additional factor or stronger identity proofing for account reset and dormant account reactivation, especially where the phone number has changed ownership history or shows suspicious tenure.
- Classify eSIM and SIM churn as a policy input Feed rapid SIM changes, device-to-number mismatch, and temporary number patterns into fraud policy so automated abuse cannot repeatedly reset its reputation.
- Review phone-based assurance in identity governance Document which customer journeys still rely on phone possession as an assurance factor, then retire it where continuity cannot be verified or where the fraud impact is high.
Key takeaways
- Phone numbers no longer behave like stable identity anchors, so SMS possession cannot be treated as proof of current ownership.
- Recycled numbering and eSIM churn let fraudsters inherit trust and move faster than static phone controls can respond.
- The right control response is lifecycle-based phone assurance, with continuity checks, stronger recovery logic, and explicit policy boundaries for SMS use.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Phone-based authentication and recovery map to digital identity assurance concerns. |
| NIST CSF 2.0 | PR.AC-1 | Phone trust is an access control issue when it gates account recovery or authentication. |
| GDPR | Art.32 | Identity verification using phone data can implicate security of processing and data protection obligations. |
Map phone-based assurance to PR.AC-1 and restrict SMS where ownership continuity cannot be proven.
Key terms
- Recycled Phone Number Fraud: Fraud that exploits the reassignment of previously used phone numbers. A number can still appear reachable and legitimate after ownership changes, allowing attackers to pass SMS-based checks and exploit trust built by the previous owner.
- eSIM Abuse: The misuse of software-provisioned mobile identities to create, rotate, or discard phone access quickly. It lowers the cost of abuse because attackers can change numbers and devices in software, weakening controls that assume long-lived ownership.
- Ownership Continuity: The ability to show that a phone number still belongs to the same user over time. It is stronger than reachability because it includes disconnects, reassignment, tenure, and churn signals, which are essential for trustworthy authentication and recovery decisions.
- Verification Trust Gap: The mismatch between what an identity signal seems to prove and what it actually proves. In phone-based fraud, a delivered SMS may confirm message delivery, but it does not confirm the current user’s ownership, intent, or legitimacy.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- Signal logic for distinguishing recycled numbers from legitimately retained lines in live transactions
- How the Global Fraud Policy evaluates ownership continuity, carrier disconnect events, and churn patterns
- Operational handling of account opening, recovery, and SMS step-up flows when phone trust is degraded
- Why explainable reason codes matter for fraud, risk, and engineering teams during policy enforcement
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners who need stronger control over access signals and recovery paths. It gives security and identity teams a common framework for governing high-risk identity signals across their programmes.
Published by the NHIMG editorial team on 2026-03-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org