India’s Department of Telecommunications (DoT) has introduced strict new rules requiring popular messaging platforms to operate only when linked to an active, KYC-verified SIM card. The move aims to curb rising cases of online fraud, identity misuse, and cross-border scams carried out through app-based communication services.
Under the revised Telecommunications (Telecom Cyber Security) Rules, 2024, apps such as WhatsApp, Telegram, Signal, Snapchat, Sharechat, Josh, JioChat, and Arattai — all of which identify users through Indian mobile numbers — must comply with the SIM-binding mandate within 90 days.
Closing Security Gaps Exploited by Scammers
According to the DoT, messaging accounts often remain active even after the associated SIM is removed, deactivated, or used abroad, creating opportunities for anonymous cybercrimes. Fraudsters have routinely taken advantage of persistent web and desktop sessions to remotely control victims’ accounts and execute scams disguised as government officials or financial authorities.
The DoT said the new requirements are designed to eliminate this loophole by ensuring accounts function only when continuously linked to the SIM installed on the device.
Key Requirements for Messaging Platforms
The government’s directive introduces several new compliance conditions:
- Mandatory SIM Binding: Messaging apps must stop functioning if the active SIM linked to the registered mobile number is not present on the device.
- Periodic Logout for Web Sessions: All web or desktop instances of the apps must automatically log out every six hours. Users may re-authenticate by scanning a QR code when needed.
- Enhanced Verification: Each active account must be tied to a SIM card backed by full KYC verification, allowing authorities to trace numbers involved in phishing, investment scams, and “digital arrest” frauds.
Officials say the periodic re-authentication requirement adds friction to fraudulent operations by forcing scammers to repeatedly prove device and SIM access — a hurdle that reduces the likelihood of long-term misuse.
Aligned With Financial Security Protocols
The SIM-binding framework has already been in place for banking and UPI-based payment applications to prevent account takeovers. The new directive extends this cybersecurity standard to messaging platforms that have become prime targets for impersonation and scam campaigns.
Messaging companies, including WhatsApp and Signal, have not yet commented on the government’s announcement.
Part of a Broader Anti-Fraud Push
The directive follows the DoT’s recent plans to launch a Mobile Number Validation (MNV) platform — a decentralized, privacy-compliant system enabling service providers and government agencies to verify whether a mobile number genuinely belongs to the user associated with it. Authorities say the platform will help curb mule accounts and fraudulent linkages across financial and digital ecosystems.
The DoT maintains that these combined measures will strengthen user trust, improve traceability, and significantly reduce cybercriminal activity exploiting Indian mobile numbers.
