TL;DR: Phone numbers are no longer durable identity anchors because recycled numbering, eSIM abuse, and MVNO-driven churn let fraudsters exploit account opening, authentication, and recovery flows, according to Prove Identity. Static SMS and tenure checks now create false confidence while adding friction that still misses borrowed trust.
NHIMG editorial — based on content published by Prove Identity: How Prove’s Global Fraud Policy Stops Phone-Based Fraud Others Miss
By the numbers:
- When sampled, more than 80% of numbers available for reassignment were already recycled and susceptible to SMS-based account takeover.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when organisations still trust phone numbers as stable identity factors?
A: They confuse reachability with ownership.
Q: Why do recycled numbers and eSIM abuse increase account takeover risk?
A: Recycled numbers inherit historical trust, while eSIMs let attackers provision and discard phone identities quickly.
Q: How can security teams tell whether phone-based authentication is still working?
A: Look for continuity signals, not just delivery.
Practitioner guidance
- Implement ownership-continuity checks for phone numbers Add reassignment, disconnect, and churn signals to every high-risk phone-based journey so the system can distinguish a live line from a legitimately owned line.
- Remove SMS-only recovery paths Require an additional factor or stronger identity proofing for account reset and dormant account reactivation, especially where the phone number has changed ownership history or shows suspicious tenure.
- Classify eSIM and SIM churn as a policy input Feed rapid SIM changes, device-to-number mismatch, and temporary number patterns into fraud policy so automated abuse cannot repeatedly reset its reputation.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- Signal logic for distinguishing recycled numbers from legitimately retained lines in live transactions
- How the Global Fraud Policy evaluates ownership continuity, carrier disconnect events, and churn patterns
- Operational handling of account opening, recovery, and SMS step-up flows when phone trust is degraded
- Why explainable reason codes matter for fraud, risk, and engineering teams during policy enforcement
👉 Read Prove Identity's analysis of recycled phone number fraud and eSIM abuse →
Recycled numbers and eSIM abuse: what fraud teams need to change?
Explore further
Phone number trust is now a governance problem, not just a fraud problem. Organisations have treated the phone number as a stable identity factor because it was operationally convenient, but recycled numbering and eSIM churn have broken that assumption. When a signal can be inherited, reassigned, or provisioned on demand, the control question becomes whether current ownership is provable, not whether the number is reachable. Practitioners should stop treating phone possession as a durable assurance factor.
A question worth separating out:
Q: Who is accountable when phone-based recovery fails and an account is taken over?
A: Accountability usually sits across identity, fraud, and product teams because the failure is a journey design issue, not a single control failure. Organisations should define ownership for phone-based assurance, document when SMS is acceptable, and align the policy to fraud-risk appetite and customer impact.
👉 Read our full editorial: Phone-based fraud is breaking the trust model for account recovery