Mobile phone numbers function as single keys to banking, government, and commerce, making the Subscriber Identity Module (SIM) a critical element of security. In April 2025, South Korea’s largest carrier experienced a SIM breach that compromised authentication keys and exposed nearly 27 million subscriber identifiers. We conducted semi-structured interviews with mental-model elicitation (N=33) to examine user awareness, responses, and understanding of SIM-based authentication. Results reveal a pronounced awareness–action gap: participants recognized the breach yet held incomplete mental models, perceived little personal risk, and rarely acted protectively, even when affected. Learned helplessness, reliance on carriers, and the invisibility of SIM shaped these passive responses. Brief educational interventions improved conceptual understanding but seldom produced lasting behavioral change. Our findings demonstrate how technical opacity and psychological factors jointly inhibit protective action and offer design implications for usable security, emphasizing interventions that realign users’ mental models with system risks to foster sustainable practices.
ACM CHI Conference on Human Factors in Computing Systems