TL;DR: Recycled mobile numbers can redirect SMS-based login and recovery flows to new subscribers, creating account takeover and fraud exposure across social, banking, healthcare, and e-commerce accounts, according to IDlayr. The trust assumption is the problem: number ownership is not the same as SIM-linked identity, so mobile login controls need stronger binding than SMS OTP alone.
NHIMG editorial — based on content published by IDlayr: El ENORME problema de la identidad e inicio de sesión a través del móvil - Recycled Numbers by Paul McGuire
By the numbers:
- In the United Kingdom, mobile providers typically recycle numbers within 70 to 180 days.
- A study of 259 recycled numbers found that 215 were effectively recycled and remained vulnerable to exploitation.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations handle recycled phone numbers in account recovery flows?
A: Organisations should treat recycled numbers as untrusted recovery channels unless the current SIM or subscriber identity is re-verified.
Q: Why do phone-number based login methods create account takeover risk?
A: They create risk because the control follows the number, not the person.
Q: What do security teams get wrong about SMS OTP?
A: They often assume SMS OTP proves identity when it actually proves message delivery to a phone number.
Practitioner guidance
- Remove SMS OTP from high-risk recovery paths Keep SMS only where the blast radius is low and pair it with stronger factors for account recovery, banking, healthcare, and admin access.
- Bind mobile identity to SIM-aware verification Validate the current number together with SIM-linked attributes such as ICCID and IMSI before issuing or restoring access.
- Review all number-based recovery workflows Inventory every product that uses a phone number for login, reset, or step-up access, then remove any path that still assumes the number belongs to the original user.
What's in the full article
IDlayr's full article covers the operational detail this post intentionally leaves for the source:
- The mechanics of MSISDN, ICCID, and IMSI binding for SIM-aware verification
- The practical differences between SMS OTP and deterministic mobile identity checks
- The customer-facing and fraud-control implications of recycled-number re-verification
- The article's own walkthrough of how mobile operators recycle numbers across markets
👉 Read IDlayr's analysis of recycled mobile numbers and mobile identity risk →
Recycled mobile numbers: what it means for login and IAM controls?
Explore further
Number ownership is not identity ownership: mobile login flows fail when they treat a recycled number as proof of continuity. The number can move, the SIM can change, and the account recovery path still points at the wrong person. Practitioners should treat phone-number-based trust as a fragile external dependency, not an identity control.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Guide to the Secret Sprawl Challenge.
A question worth separating out:
Q: What is the difference between number possession and verified mobile identity?
A: Number possession means a device can receive messages sent to a phone number. Verified mobile identity means the platform has checked that the current number, SIM, and subscriber context still match the trusted subject. The difference is critical because only the second model can detect recycled numbers and block silent account takeover.
👉 Read our full editorial: Mobile identity risk from recycled numbers breaks login trust