India’s Department of Telecommunications (DoT) has directed app-based telecom service providers to ensure that their platforms cannot be used without an active SIM card linked to a user’s mobile number.
To this end, messaging apps like WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, Signal, i.e. Telecommunications Identified User Entities (TIUEs) that use Indian mobile numbers to uniquely identify users will have to comply with the directive within 90 days.
The amendments to the Telecommunications (Telecommunications Cybersecurity) Regulations, 2024 are seen as an attempt to counter the misuse of telecommunications identifiers for phishing, fraud and cyber fraud and ensure telecommunications cybersecurity. The DoT says the SIM binding orientation is critical to closing the security gap that bad actors are exploiting to commit cross-border fraud.
“Instant messaging and calling app accounts remain functional even after the associated SIM is removed, disabled, or moved abroad, enabling anonymous fraud, remote ‘digital arrest’ fraud, and government impersonation calls using Indian numbers,” the State Department said in a statement on Monday.
“The long-lived nature of web/desktop sessions complicates tracking and deletion, as fraudsters can control victims’ accounts from a remote location without requiring the original device or SIM. Currently, once a session is authenticated on an Indian device, it can continue operating from abroad, allowing criminals to use Indian numbers to commit fraud without any new verification.”
The newly issued directive requires:
- App-based communication services are continuously linked to the SIM card installed on your device, and you cannot use the app without an active SIM.
- The messaging platform’s web service instance is periodically logged out every 6 hours, allowing users to relink their devices via a QR code if necessary.
By forcing periodic re-authentication, the Indian government said the changes will reduce the possibility of account takeover attacks, remote control abuse and mule account manipulation. Additionally, repeated relinks create additional friction in the process, requiring the attacker to prove their control over and over again.
The DoT also pointed out that these restrictions will link all active accounts on the messaging app and its web sessions to a Know Your Customer (KYC) verified SIM, allowing authorities to track numbers used for phishing, investments, digital arrests and loan fraud.
It is worth noting that SIM binding and automatic session logout rules are already applicable to banking and instant payment apps that use India’s Unified Payments Interface (UPI) system. The latest instructions extend this policy to apply to messaging apps as well. WhatsApp and Signal did not respond to requests for comment.
The development comes days after the DoT announced that a mobile number verification (MNV) platform will be established to curb the proliferation of mule accounts and identity fraud resulting from unverified association of mobile numbers with financial and digital services. According to the proposed amendments, such requests to the MNV platform can be made by TIUE or government agencies.
“This mechanism allows service providers to verify, through a decentralized, privacy-compliant platform, whether a mobile phone number used for a service truly belongs to the person whose credentials are on record, thereby increasing the trust in digital transactions,” the report said.
