The Business Case for Decoupling SIM Cards From Mobile Devices

Something about the SIM card has bothered me for a long time. We carry phones now that are faster than the computers that put people in space. We've been through generation after generation of networks, and yet the little card inside is essentially the same idea it was decades ago. It was built for one person: one phone, one number, one place, and a single thing to do: make a call. The strange part is how much we've stacked on top of that without ever updating the thing underneath. Businesses now run real operations through these cards, far past anything the technology was meant to handle. Why Does This Problem Exist? Part of the reason it's stuck is that the telecom layer underneath is locked. You can't encrypt at the SIM level, you can't change the protocol, and you can't add your own logic on top, because none of that is yours to change. The rules belong to the carrier, and the card simply does what those rules allow. That was fine when all anyone wanted was to reach another person. Most companies make the same mistake here. They treat the SIM card as a consumer-grade item, the same throwaway thing an individual buys, when in practice they're relying on it as business infrastructure. A company using SIM cards for fleet management, employee communication, or automated verification is running modern operations on a consumer-era protocol that was never meant to carry them. And if the protocol itself cannot realistically be redesigned, the only place left to innovate is in how businesses use the SIM physically and operationally. What Are The Downsides? The ownership trap. This one needs a caveat, because the way it's usually told is wrong. Buy a number directly from a carrier, and it genuinely is yours; it's the cheapest arrangement there is, and in many countries you can move it to another carrier whenever you like. There's no ownership problem with the physical card itself, and that's the part most coverage gets backward. The trap is the workaround businesses reach for instead: virtual number providers. They hold a contract with a real carrier, add their own fee on top for managing it, and keep the number in their own name. You pay twice, and the number is theirs, not yours, no matter how long you've used it. And the dependency runs deep. I ran a number through one of these providers for years, until their system stopped charging my card and I was given 2 days to find another way to pay or lose the number entirely. They can revoke it, reassign it, or shut it down, and the decision is never yours. You have limited control, visibility, and flexibility. Once a SIM is inside an employee's phone, that employee effectively becomes the point of control. They can lose the device or leave the company. We learned this the hard way when a marketing director moved on: over the years, she'd registered most of our corporate accounts under her own mobile number, because that was the phone in her hand whenever something asked for one. When she left, the verification codes those accounts depended on kept going to a number we no longer had any way to reach, and getting back in meant a slow fight with each service, some of which simply refused to cooperate. There's no central dashboard to reassign, audit, or manage it remotely. On top of that, a virtual provider hands the number to one person, not a team. Sharing it, so a colleague can cover when someone's out, takes IT configuration that most smaller companies don't have the expertise to set up. The numbers themselves can also work against you. In the Netherlands, a virtual provider can only issue a longer, non-standard number, never a regular mobile one, and those are easy to spot as automated business lines, the kind people instinctively decline. The cost compounds, too. Buy direct from a carrier, and a number runs you a couple of euros a month. The same number, through a middleman, runs ten to fifteen, sometimes twenty, and you pay it whether the number is used or not. Put real figures on it: at 15 euros a month, that's 180 euros a year. Multiply by a team of fifty, and you're spending nine thousand euros a year, against roughly twelve hundred if you'd bought those same fifty numbers straight from the carrier. That's close to eight thousand euros, every year, for nothing but the privilege of not owning your own numbers. There are real security concerns . The risks fall into three categories: tracking, interception, and account takeover. A SIM card continuously broadcasts its location as it moves between cell towers, so the network always has a rough fix on where it is. For most people, that's nothing; for someone in defense, or managing a high-profile figure, or any role where being followed is a threat, it's a genuine danger. The older protocols make it worse. On 2G, a phone has no way to verify that the tower it connects to is legitimate, because the base station is never authenticated. The US National Institute of Standards and Technology has documented how fake towers exploit exactly this, forcing a phone down onto 2G to intercept it. There's also SIM-swap risk, where someone convinces a carrier to move a business number onto another device. The embedded SIM doesn't fully address these concerns: the European Union Agency for Cybersecurity has flagged risks such as eSIM swapping and profile tampering. It expects these risks to grow as more devices adopt it. Some companies try to work around these problems with dedicated security phones that rotate codes and numbers, adding extra hardware and complexity to the mix. You carry a special device, maybe a special router too, and change credentials constantly. But it still doesn't work the way it's supposed to. The fundamental problem is that you're still carrying a tracking device. Rotate anything you want – different numbers, different codes, different protocols – and if you're alone in an unpopulated area, in a field, or anywhere without cellular density, you're still broadcasting from a physical device that can be traced. The rotation helps, but it doesn't solve the exposure. The security phones also fragment your infrastructure: you need separate devices, separate management, separate expertise, and most companies don't have that expertise in-house. None of this buys you the control you'd expect from the complexity cost. It's a partial measure for a problem that has a root cause. The lost asset. Because the SIM lives in a phone that people carry everywhere, it goes missing constantly. Something like 20 to 30 percent of cards are reported for replacement each year, and most of that is plain loss rather than a card failing. Amsterdam alone loses more than a thousand phones to its canals every year, each one with a SIM and everything tied to it inside. What Are The Possible Solutions? There are three ways to deal with this. Manage the risk manually. Assign numbers to roles instead of people, enforce strict offboarding, and avoid SMS-only two-factor authentication. It helps, but it addresses none of ownership, visibility, or cost. Use a virtual number provider . The protocol is identical to what a carrier uses, so you gain nothing technically, and the ownership and flexibility problems stay exactly where they were. The dependency only gets deeper, since the provider is the one who can decide to block the number. Decouple the SIM from the physical device. Instead of trying to secure a phone you carry, remove the SIM card entirely. The card comes out of the employee's phone and goes into a fixed, secure box on the company's premises, which can be accessed remotely over the internet. The business maintains its direct contract with the carrier, so it owns the number outright and manages it from one place, as it would any other shared asset. None of this requires the telecom network underneath to change. What makes this a different kind of solution rather than another virtual provider is that the box exposes the number via an open REST API. That sounds technical, but the consequence is simple: the number can plug into the systems a business already runs, its CRM, its scheduling tools, its automation. Several people can use one number at the same time. A company can manage a whole fleet of numbers from a single interface and set rules about who receives what. And a number can be reassigned or shared in seconds, with no request to the carrier and no waiting. That maps back onto the problems from earlier almost line for line. You own the number, so there's no provider to depend on, and you manage the whole set centrally instead of losing sight of each one in someone's pocket. The card sits in a controlled location rather than broadcasting from a handset, and the traffic between the box and the authorized phone is encrypted end to end, with the key held only on those two devices. The proxy in between carries only encrypted data and no identifying information, and calls routes directly between the parties when possible, so there's little for anyone in the middle to intercept or trace. Take that marketing director again. Had her number lived in the fixed location instead of on her personal phone, her leaving would have changed nothing: the verification codes would land somewhere the team can see them, and the number would pass to whoever took over her work, with every account built on it still running. Keeping the SIM in one place solves a few smaller things as well. The card stays in its home country, so verification texts that fail when a number is roaming abroad arrive normally. And losing a phone stops being a crisis, because the number was never inside it. In an ideal world, I don't think there would be much difference between what a business needs from a phone number and what an individual needs. If you can give a company strong security and real control over its numbers, you can give the same to a person, and there's no good reason to leave individuals with the weaker version. None of this waits on new technology, either; the card, the carrier, and the contract already exist. So if owning and controlling a number properly takes nothing more than changing where the card physically sits, why have we spent so long assuming it had to be otherwise.