India's Department of Telecommunications (DoT) has issued directions to app-based communication service providers to
ensure that the platforms cannot be used without an active SIM card linked to the user's mobile number.
To that end, messaging apps like WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal that use an
Indian mobile number for uniquely identifying their users, in other words, a telecommunication identifier user entity
(TIUE), to comply with the directive within 90 days.
The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, is seen as an attempt to combat the misuse
of telecommunication identifiers for phishing, scams, and cyber fraud, and ensure telecom cybersecurity. The DoT said
the SIM‑binding directions are crucial to close a security gap that bad actors are exploiting to conduct cross‑border
"Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated,
or moved abroad, enabling anonymous scams, remote 'digital arrest' frauds and government‑impersonation calls using
Indian numbers," the DoT said in a statement issued Monday.
"Long‑lived web/desktop sessions let fraudsters control victims' accounts from distant locations without needing the
original device or SIM, which complicates tracing and takedown. A session can currently be authenticated once on a
device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any
The newly issued directive mandates that -
App Based Communication Services are continuously linked to the SIM card installed in the device and make it impossible
to use the app without that active SIM
The web service instance of the messaging platform is periodically logged out every six hours and then giving the users
to re-link their device via a QR code if necessary
In forcing periodic re‑authentication, the Indian government said the change reduces the scope for account takeover
attacks, remote control misuse, and mule account operations. What's more, the repeated re-linking introduces additional
friction in the process, necessitating that the threat actors prove they are in control again and again.
The DoT also noted that these restrictions ensure that every active account on the messaging app and its web sessions is
tied to a Know Your Customer (KYC)‑verified SIM, thereby allowing authorities to trace numbers that are used in
phishing, investment, digital arrest, and loan scams.
It's worth noting that the SIM-binding and automatic session logout rules are already applicable to banking and instant
payment apps that use India's Unified Payments Interface (UPI) system. The latest directions extend this policy to also
cover messaging apps. WhatsApp and Signal did not respond to requests for comment.
The development comes days after the DoT said a Mobile Number Validation (MNV) platform would be established to curb the
surge in mule accounts and identity fraud stemming from unverified linkages of mobile numbers with financial and digital
services. According to the amendment, such a request on the MNV platform can be placed by either a TIUE or a government
"This mechanism enables service providers to validate, through a decentralized and privacy-compliant platform, whether a
mobile number used for a service genuinely belongs to the person whose credentials are on record – thereby enhancing
trust in digital transactions," it said.