The HUGE issue with mobile-based identity & login – Recycled Numbers

Using a mobile number as an identity credential feels natural in today’s mobile-first, app-driven world, and it should be. But beneath the convenience lies a serious risk.

When mobile numbers are used without being securely linked to the underlying SIM card, serious security gaps are created. Mobile Network Operators (MNOs) routinely recycle inactive mobile numbers and re-issue them, with a new SIM card, to new users. This process can happen quickly, sometimes within just weeks. 

The risk is that the new owner of the mobile number will then have access to any online accounts set up by the previous owner, where the mobile number was used for Login. Examples include social media accounts, bank accounts, health records, and e-commerce accounts.

The result? Accidental account takeovers, fraud, and reputational damage for the businesses involved.

It’s a big risk, but there is an easy solution: linking the mobile number to the SIM card itself. But to understand why that’s critical, let’s first look at how recycled numbers happen and why they’ve become such a persistent security threat.

Why Numbers Get Recycled

Global demand for mobile numbers continues to climb, but the pool of available numbers is limited. To keep up, MNOs routinely recycle inactive numbers. Depending on the market, this can happen in as little as a week. A number that was once linked to a bank account, social media profile, or medical app could inadvertently be reassigned to a new customer.

• In the United States, roughly 35 million phone numbers are recycled annually, necessitated by the finite pool of assignable numbers 
• In the UK, mobile providers typically recycle numbers within a 70-180 day timeframe 
• A study of 259 recycled numbers found that 215 were indeed recycled and remained vulnerable to exploitation

The Security Risk

When mobile numbers are used as digital identifiers for online accounts, recycled numbers – those reassigned to new users after being disconnected – can create serious security and privacy risks. A new owner may unknowingly gain access to the previous owner’s accounts through password resets, two-factor authentication codes, or linked services still tied to that number. This can lead to account takeovers, data exposure, and even financial fraud.

• Account takeover: Password resets and 2FA SMS messages are delivered to the wrong person.
• Messaging hijack: Services like WhatsApp or Telegram can be claimed by the new owner.
• Fraud chaining: Once inside one account, attackers can pivot and attempt to gain access to bank accounts, digital wallets, and other linked services.

It’s not just users at risk. Brands that rely on SMS OTP or mobile number recovery expose themselves to reputational damage when recycled numbers open the door to fraud.

Why SMS OTP Makes It Worse

SMS one-time passwords (OTPs) are problematic in this context because they rely on the phone number rather than the verified ownership of the SIM or device. When a number is recycled or transferred, SMS OTPs can be sent to a new user who now controls that number – giving them unintended access to someone else’s accounts. Additionally, SMS messages can be intercepted through SIM swap attacks or network-level exploits, making them vulnerable to fraud. In short, SMS OTP assumes the person holding the number is the rightful account owner, which breaks down when numbers are reassigned or compromised.

The Better Way: SIM-based Authentication

The solution is not to abandon mobile numbers – they are too important – but, rather, to verify them correctly. 

Every mobile number (called an MSISDN) is bound to a SIM card (either physical or eSIM). Each SIM card has a physical identifier (the ICCID) and a number that is assigned to the SIM by the MNO when it assigns a mobile number to that SIM card and issues it to a user. This number is called the IMSI (International Mobile Subscriber Identity). It is the combination of the mobile number and SIM identity that needs to be checked when using mobile as an identity credential.

If your verification method is only checking the mobile number (which is what SMS OTP does) and not the SIM card, you run the risk that when the mobile number is recycled you won’t know and you risk exposing user data, PII, and enabling unauthorized account access.

By verifying not just the mobile number, but also the SIM card, you can ensure that the SIM currently linked to that number is legitimate, active, and matches the user’s established digital identity. If the number has been recycled or the SIM has changed, the system can detect the mismatch and trigger a re-verification process before granting access. By binding the number, SIM, and verified identity together, platforms can maintain a “live” trust link that automatically breaks when the number is reassigned – eliminating the risk of old accounts being exposed to new number holders.

Building a foundation of trust with Mobile Identity

Recycled numbers are just one example of how legacy approaches like SMS OTP can no longer secure digital services. The future lies in real-time, deterministic mobile identity: verifying mobile numbers securely with the MNO in realtime, binding numbers to SIMs, and removing the human from the security model. 

This shift not only reduces fraud but also delivers the frictionless experience users now expect and creates a solid foundation of trust on which to build a complete online identity.

Discover more on how IDlayr can help you solve Recycled Number risk.