Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Recycled phone numbers: what it means for IAM and fraud teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Recycled phone numbers let fraudsters inherit dormant account links, bypass SMS OTP recovery, and impersonate prior owners, according to Prove Identity. The core issue is not the number itself but the trust model that treats tenure as proof of current ownership, which breaks once reissuance occurs.

NHIMG editorial — based on content published by Prove Identity: Recycled Phone Numbers Fuel a Wave of "Silent" Fraud: Here's How to Fight Back

By the numbers:

Questions worth separating out

Q: How should organisations handle recycled phone numbers in account recovery flows?

A: Organisations should treat recycled numbers as untrusted recovery channels unless the current SIM or subscriber identity is re-verified.

Q: Why do recycled phone numbers create identity verification risk?

A: A recycled number can still look valid in a CRM even after it has been reassigned to a different consumer.

Q: What do security teams get wrong about using phone numbers as identity factors?

A: They often confuse possession of a number with durable identity assurance.

Practitioner guidance

  • Remove phone tenure from trust decisions Stop treating the age or historical use of a number as evidence of current ownership.
  • Harden SMS recovery paths Reclassify SMS OTP and phone-based password reset as high-risk flows, especially where they can override other factors.
  • Track number lifecycle changes Build controls that identify when a phone number is reassigned, not just when it is first enrolled.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • Prove Identity's breakdown of the phone reputation, ownership, and primary-number signals used to assess recycled-number risk.
  • The article's explanation of how its Trust Score approach combines near-real-time phone activity with device information.
  • Examples of how risk tables are used to flag numbers associated with rented or recycled schemes.
  • The vendor's discussion of longitudinal phone evidence across 12+ years in the U.S. and 50 countries.

👉 Read Prove Identity's analysis of recycled phone number fraud and identity risk →

Recycled phone numbers: what it means for IAM and fraud teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Phone tenure is a trust assumption built for continuity, not reassignment. Legacy identity programmes often treat a phone number as a durable proxy for the person who once controlled it. That assumption fails the moment the number is recycled, because historical reputation does not prove current ownership. The implication is that phone-based identity must be evaluated as a mutable credential path, not a stable authenticator.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: Who is accountable when recycled numbers lead to account takeover?

A: Account owners, IAM teams and product teams are jointly accountable because the failure sits in recovery design and lifecycle governance. If a system keeps accepting a reassigned number after ownership has changed, the organisation has not revoked an obsolete trust path. That is a governance failure, not just a user error.

👉 Read our full editorial: Recycled phone numbers expose the weakness in phone-based identity



   
ReplyQuote
Share: