TL;DR: Account takeover fraud remains a major consumer and enterprise risk because attackers can exploit SIM swaps, call forwarding, and device changes to intercept one-time passwords, according to Prove Identity. The underlying issue is that OTP delivery still assumes the receiving phone number is trustworthy at decision time, which is no longer a safe assumption.
At a glance
What this is: This is an analysis of how OTP-based authentication can be subverted by telephony abuse, with real-time phone signal intelligence positioned as the control point for ATO detection.
Why it matters: It matters because IAM and fraud teams need to treat phone-number trust as a dynamic risk signal, not a static authentication factor, especially where account recovery and transaction approval still depend on SMS or voice OTPs.
By the numbers:
- In 2022 alone, account takeovers hit 22% of US adults and represented nearly $288 billion in fraud.
- ATOs hit 22% of US adults and represented nearly $288 billion in fraud.
- Trust Score+ leverages phone number signals from the core telephony infrastructure, proprietary data sources, and Prove's 15+ years of phone data.
👉 Read Prove Identity's analysis of how Trust Score+ addresses account takeover fraud
Context
Account takeover fraud persists because many identity flows still assume the phone number is a trustworthy delivery channel for one-time passwords. That assumption breaks when attackers can redirect, duplicate, or hijack the phone path while leaving the account owner's credentials apparently intact.
For IAM and fraud teams, the issue is not whether OTPs work in the abstract, but whether they remain trustworthy at the moment of transaction. Real-time phone intelligence shifts the control point from static enrollment trust to behavioral risk assessment during high-risk events such as password changes, money movement, and phone number updates.
Key questions
Q: How should security teams reduce account takeover risk in OTP-based login flows?
A: Security teams should stop treating OTP delivery as proof that the right person is present. Instead, they should combine phone-number intelligence, carrier data, and device history to score the transaction at the moment it matters. If the phone has changed recently or call forwarding is enabled, step-up or block the action before OTP-based access is granted.
Q: Why do SIM swaps and call forwarding increase account takeover risk?
A: Because they attack the delivery channel, not just the password. If an attacker can redirect SMS or voice OTPs, the code still appears valid while reaching the wrong device. That makes the account look authenticated even though the legitimate user never saw the challenge, which is why channel trust must be evaluated continuously.
Q: What do fraud teams get wrong about one-time passwords?
A: They often assume the OTP is the control, when the real control is the integrity of the path that delivers it. OTPs can still be useful, but only when paired with real-time risk signals that detect device swaps, SIM churn, and forwarding anomalies. Without that context, the factor is easy to redirect.
Q: Who should own account takeover detection when phone signals are involved?
A: Ownership should be shared between IAM and fraud operations because the same event affects authentication assurance, recovery policy, and financial risk. A common decision path helps avoid siloed responses where one team approves access while another team sees the same number as compromised.
Technical breakdown
Why OTP delivery fails when telephony signals change
One-time passwords are easy to deploy because they piggyback on an existing phone number, but that convenience hides a brittle trust model. If an attacker can change the underlying route by SIM swap, device swap, or call forwarding, the OTP reaches the wrong recipient while the authentication flow still appears valid. The failure is not the code itself, but the assumption that the delivery channel remains bound to the legitimate user throughout the transaction.
Practical implication: treat phone-number trust as a runtime input to authentication, not as a fixed property established at enrollment.
How SIM tenure and change velocity expose account takeover risk
Phone intelligence systems look for signals such as repeated SIM changes, device churn, and unusual call-forwarding settings. These are weak on their own, but together they indicate that the number has undergone recent state changes inconsistent with normal customer behaviour. In fraud operations, combining multiple low-confidence indicators is more useful than relying on any single rule, because attackers often try to stay just below alert thresholds.
Practical implication: build decisioning that scores combinations of telephony changes instead of alerting only on one isolated event.
Transaction-level decisioning for high-risk OTP events
The important architectural shift is to evaluate trust where the risk actually occurs. Password resets, payment approvals, account recovery, and phone-number changes should trigger a fresh risk assessment using device and carrier context, rather than a blind OTP challenge. This moves the organisation from after-the-fact fraud review to pre-action containment, where the system can reject, step up, or route for review before the transfer of control completes.
Practical implication: bind phone-signal risk checks to high-value actions and require step-up or manual review when the score changes materially.
Threat narrative
Attacker objective: The attacker wants to intercept the OTP path, gain trusted access to the account, and use that access to commit fraud or redirect communications.
- Entry occurs when attackers obtain a victim's PIN, exploit social engineering, or abuse telephony workflows such as SIM swaps and call forwarding to redirect OTP delivery.
- Escalation follows when the attacker uses the intercepted OTP to authenticate, reset credentials, or take over the account while appearing to the system as a legitimate phone holder.
- Impact is the unauthorised takeover of the account, enabling fraud, diversion of messages or calls, and downstream financial or identity abuse.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
OTP trust debt: SMS and voice-based one-time passwords create a false sense of assurance because the factor is treated as proof of presence when it is really proof of channel access. Once telephony routing can be altered, the authentication control is no longer anchored to the user. The practical conclusion is that organisations must stop treating phone delivery as a stable identity assertion.
Identity fraud here is a channel integrity problem, not just a credential problem. The article's core evidence points to SIM swaps, call forwarding, and device theft as the enabling conditions behind many account takeovers. That means the governance question is whether the organisation can trust the communication path at the moment of use, not whether the OTP format is familiar. Practitioners should model phone trust as a mutable signal with explicit expiry.
Real-time risk scoring is the right pattern for high-friction identity moments. Password changes, account recovery, and money movement are not ordinary authentication events; they are control transitions. If telephony state changes sharply around those moments, the account should be treated as under active attack until proven otherwise. The implication is that IAM and fraud teams need shared decisioning rather than separate views of the same transaction.
Phone-number intelligence belongs in identity governance, not only fraud operations. The same data that flags account takeover risk can also inform recovery policy, step-up thresholds, and exception handling for vulnerable users. That makes telephony context part of broader identity assurance design, especially where SMS remains embedded in customer journeys. The practical consequence is that identity and fraud teams need a single risk vocabulary for phone-based authentication.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- From our research: Only 5.7% of organisations have full visibility into their service accounts, which is why unmanaged identity paths persist across both machine and human-facing flows.
- For a broader breach view: 52 NHI Breaches Analysis shows how exposed credentials and weak lifecycle controls repeatedly turn access into impact.
What this signals
Phone trust has become a live identity signal, not a one-time enrolment fact. Teams that still rely on SMS OTP as a default assurance layer should expect more false confidence, because the delivery route can be manipulated after enrolment. The practical shift is to make telephony state part of the decisioning stack wherever account recovery or high-value transactions are involved.
Channel integrity is the named concept practitioners should track. When the integrity of the phone path deteriorates through SIM swaps, device changes, or call forwarding, identity assurance fails even if the OTP format itself remains unchanged. That makes identity and fraud teams dependent on the same signal set, and governance should reflect that shared ownership.
The control gap is especially visible in recovery journeys, where an attacker often needs only one successful phone-based challenge to turn a temporary foothold into durable account access. With 91.6% of secrets still valid five days after notification in our research, delayed revocation remains a wider identity problem, not just an OTP problem.
For practitioners
- Score phone trust at the moment of use Bind carrier and device signals to password resets, account recovery, and payment events so the decision reflects current telephony state rather than enrollment history.
- Treat SIM and call-forwarding changes as risk inputs Combine SIM velocity, SIM tenure, device swap history, and call-forwarding status into one decisioning model so telephony manipulation is visible before OTP delivery succeeds.
- Separate recovery policy from default authentication Use stronger checks for recovery and number-change workflows than for routine sign-in, because attackers often wait for the moment when the account can be re-bound.
- Create shared fraud and IAM review paths Route high-risk phone-number events into a common queue so identity and fraud teams can review the same signal set and make one containment decision.
Key takeaways
- Account takeover fraud succeeds when organisations trust the phone number more than the transaction context.
- SIM swaps, call forwarding, and device changes show that OTP delivery is only as strong as the telephony path behind it.
- Real-time carrier and device intelligence gives IAM and fraud teams a practical way to stop takeovers before the account is re-bound.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Phone-number trust and OTP abuse map to identity assurance and credential misuse. |
| NIST CSF 2.0 | PR.AA-1 | Account takeover prevention depends on verified identity at the point of access. |
| NIST SP 800-53 Rev 5 | IA-5 | OTP and phone-based authenticator handling fits authenticator management. |
| CIS Controls v8 | CIS-6 , Access Control Management | ATO mitigation depends on controlling access decisions and recovery paths. |
Treat phone-based authentication as a risk signal and pair it with stronger verification for sensitive actions.
Key terms
- Account Takeover: Account takeover is the unauthorised capture of a legitimate user account by an attacker. In practice, the attacker may keep the original credentials intact while hijacking the recovery, authentication, or delivery channel that lets them act as the user.
- One-Time Password: A one-time password is a short-lived code used to prove possession of a factor during authentication or recovery. It is only as strong as the channel delivering it, which means SMS and voice OTPs inherit risk from telephony abuse and routing manipulation.
- SIM Swap: A SIM swap is the transfer of a phone number to a different SIM card, usually through carrier processes. In fraud scenarios, it becomes a takeover method because the attacker receives the victim's calls and texts, including OTPs and recovery messages.
- Call Forwarding: Call forwarding redirects incoming calls from one number to another destination. For identity security, it matters because voice-based OTPs and verification calls can be intercepted if forwarding has been enabled without the user's knowledge.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- A detailed breakdown of SIM swap, call forwarding, and device swap scenarios that can defeat SMS or voice OTPs.
- The specific trust indicators Prove says its phone-number scoring uses, including SIM tenure and change velocity.
- Examples of high-risk events where transaction-level phone intelligence is applied, such as money movement and password changes.
- The vendor's implementation framing for combining carrier data with decisioning protocols in live fraud flows.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org