India’s Department of Telecommunications (DoT) has issued directions to app-based communication service providers to ensure that the platforms cannot be used without an active SIM card linked to the user’s mobile number.
To that end, messaging apps like WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal that use an Indian mobile number for uniquely identifying their users, in other words, a telecommunication identifier user entity (TIUE), to comply with the directive within 90 days.
The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, is seen as an attempt to combat the misuse of telecommunication identifiers for phishing, scams, and cyber fraud, and ensure telecom cybersecurity. The DoT said the SIM‑binding directions are crucial to close a security gap that bad actors are exploiting to conduct cross‑border fraud.
“Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated, or moved abroad, enabling anonymous scams, remote ‘digital arrest’ frauds and government‑impersonation calls using Indian numbers,” the DoT said in a statement issued Monday.
“Long‑lived web/desktop sessions let fraudsters control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown. A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification.”
The newly issued directive mandates that –
- App Based Communication Services are continuously linked to the SIM card installed in the device and make it impossible to use the app without that active SIM
- The web service instance of the messaging platform is periodically logged out every six hours and then giving the users to re-link their device via a QR code if necessary
In forcing periodic re‑authentication, the Indian government said the change reduces the scope for account takeover attacks, remote control misuse, and mule account operations. What’s more, the repeated re-linking introduces additional friction in the process, necessitating that the threat actors prove they are in control again and again.
The DoT also noted that these restrictions ensure that every active account on the messaging app and its web sessions is tied to a Know Your Customer (KYC)‑verified SIM, thereby allowing authorities to trace numbers that are used in phishing, investment, digital arrest, and loan scams.
It’s worth noting that the SIM-binding and automatic session logout rules are already applicable to banking and instant payment apps that use India’s Unified Payments Interface (UPI) system. The latest directions extend this policy to also cover messaging apps. WhatsApp and Signal did not respond to requests for comment.
The development comes days after the DoT said a Mobile Number Validation (MNV) platform would be established to curb the surge in mule accounts and identity fraud stemming from unverified linkages of mobile numbers with financial and digital services. According to the amendment, such a request on the MNV platform can be placed by either a TIUE or a government agency.
“This mechanism enables service providers to validate, through a decentralized and privacy-compliant platform, whether a mobile number used for a service genuinely belongs to the person whose credentials are on record – thereby enhancing trust in digital transactions,” it said.