Guest post by Maryam Hassny for Axon Labs
Princeton’s study “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States” found that:
- U.S. carriers disconnect about 35 million numbers every year.
- In a sample of 259 recycled numbers, 171 were still tied to existing online accounts at major services, around 66%.
- The researchers estimate that roughly one million recycled numbers at any time may expose previous owners to takeover or privacy risks, and that’s just in the USA.
In other words, there is a nirvana for fraudsters out there which is currently unaddressed, and it comes back to identity and the SIM.
At the extreme end of the spectrum, weak KYC and liveness-free registration feed directly into industrial SIM farms and SIMboxes. In September 2025, the U.S. Secret Service dismantled a hidden telecom network in the New York area. They found at least 300 SIM servers and over 100,000 SIM cards distributed across vacant properties within about 35 miles of the UN General Assembly venue. They had the capacity to send an estimated 30 million text messages per minute, with potential to jam 911 calls and disrupt cell service for large parts of NYC.
This is the real backdrop to “registering another SIM”: photo, video, and mask attacks at the edge; recycled numbers that still anchor entire digital identities; and SIM farms that weaponise every gap in SIM registration, port-out, and number-recycling controls.
The Stakes
SIM registration has moved far beyond paper forms, photocopied IDs, and a quick signature at a retail counter. Today, operators are tying mobile identities to national ID databases, digital KYC workflows, and always-on apps that sit at the centre of banking, social media, and government services. That makes each SIM a high-value security asset far above and beyond a way to make calls and send texts.
Basic SIM registration based on an ID scan, a selfie, and manual agent review is no longer enough. Attackers now abuse number recycling, SIM swap, and weak SMS one-time password [OTP] flows to hijack accounts at scale, even when operators technically “followed the rules.” If the system never checks whether a real, live human is in front of the camera at the moment of onboarding, the entire chain of trust is fragile.
Photos, Videos, Masks, and SIM Farms
When you zoom in on real SIM fraud, the weak point isn’t “bad paperwork”, it’s attacks which attempt to fool the biometric capture device with artefacts instead of a live human. In SIM registration journeys that still rely on a selfie plus manual agent review, fraudsters typically rotate through three main attack types:
- Photo attacks. Quite simply, high-resolution printed photos or faces shown on another screen. Basic systems that only check for a face and some minimal motion often accept these as “real” captures, especially in low-light retail environments.
- Video replay attacks. Pre-recorded selfie clips or deepfake videos replayed on a second device to satisfy “blink”, “smile”, or “turn your head” prompts. Modern Presentation Attack Detection [PAD] guidance explicitly calls out replay attacks as a baseline threat that liveness engines must detect, not an edge case.
- Mask attacks (2D/3D masks). Silicone, latex, or 3D-printed masks that mimic a target’s face. Weak security systems that never really check depth, texture, or multi-angle consistency can accept these masks during SIM registration or SIM-swap flows. ISO/IEC 30107-3 Level 2 testing includes exactly these mask scenarios.
Without strong, standards-aligned liveness detection in the loop, each new activation is another potential node in someone else’s fraud infrastructure. Legacy SIM registration took place in shops and call centers with paper IDs, weak selfies, and guessable security questions. Fraudsters reuse stolen documents and borrowed identities to spin up scam SIM fleets, while biometric schemes in Bangladesh rarely checked presence, leaving systems open to video, photo, and mask attacks at scale.
The New Risk Landscape for SIM Registration and Number Recycling
The problem is that recycled numbers often stay linked to banking, email, and social accounts. Attackers browse carrier portals, pick targets, and trigger SMS OTP flows to hijack accounts via normal interfaces.
For telcos, every SIM registration on a recycled MSISDN becomes a high-risk activity with the potential for significant customer impacts, demanding stronger checks, monitoring, and fraud analytics.
As a result, regulators now push beyond basic KYC and anti-money laundering [AML] checks, tying SIM registration to national ID, SIM caps, and audit trails. They expect biometric proofing plus liveness, device binding, and anomaly detection for SIM changes. Operators that comply with ISO 30107 PAD and iBeta-tested liveness show stronger compliance and win trust from banks and governments.
What Liveness Detection Adds to Biometric SIM Registration
At a technical level, facial recognition answers “Who is this?”, while liveness detection or PAD answers “Is this a real, present human, not a spoof?”.
ISO/IEC 30107-3 formalises test protocols and attack levels, from low-cost printed photos and screen replays up to sophisticated 2D/3D masks and deepfake-driven video streams. Independent labs such as iBeta validate PAD systems against these threats and report penetration rates across attack types.
SIM registration becomes much harder to fool when liveness checks are part of the default pipeline. Proven systems have achieved 0% penetration in Level 1 and Level 2 PAD tests, even against high-quality masks and screens. In a telecom context, that means blocking most photo, replay, and commodity mask attacks, and sharply raising the cost of remote identity fraud around SIM swap, SIM recovery, and port-out attempts.
The process creates a short-lived SIM registration and liveness session on an application, issues a one-time token, and sets policies (attempt limits, expiry). On the client side, a mobile or web SDK opens the camera, runs passive or passive-active liveness, and captures a high-quality session image. On the backend it verifies the face against ID or national registry (where legal) and runs number-recycling risk checks. Then finally a decision matrix combines liveness, face match, device fingerprint, IP risk, and recycling status to approve SIM registration, trigger an escalation, or send to a manual review, thereby blocking most low-cost spoofing.
Regular Action
The strategic shift is to move from “check ID and store a selfie” to continuous, biometric, liveness-verified SIM registration and lifecycle control, with explicit attention to number recycling risks. Use real iBeta-grade liveness attack data to pressure-test your SIM registration and number recycling flows, so fraudsters hit a wall not your customers.
Operators, MVNOs, and regulators who act early will not only reduce fraud losses but also earn trust from banks, fintechs, and governments that rely on mobile numbers as critical identity anchors.
