India's Department of Telecommunications (DoT) has issued a significant directive requiring popular messaging applications to link with active SIM cards, aiming to combat a surge in cyber fraud and misuse. This move mandates that apps like WhatsApp, Telegram, and Signal must operate exclusively when tied to a user's active SIM, closing a loophole exploited by criminals.

Key Takeaways

• Messaging apps must continuously link to an active SIM card.

• Web sessions will be automatically logged out every six hours.

• The directive aims to curb phishing, scams, and cross-border fraud.

• Apps have 90 days to comply, with reporting required within 120 days.

Strengthening Telecom Cybersecurity

The DoT's directive amends the Telecommunications (Telecom Cyber Security) Rules, 2024, to address the misuse of telecommunication identifiers. Previously, messaging apps could function even after a SIM card was removed or deactivated, enabling anonymous scams and impersonation tactics, often from outside India. Long-lived web sessions further complicated tracing efforts, allowing fraudsters to control accounts remotely without the original device or SIM.

New Mandates for Messaging Apps

Under the new rules, app-based communication services must remain continuously linked to the SIM card installed in the device, making it impossible to use the app without that active SIM. Additionally, web service instances of these platforms will be periodically logged out, requiring users to re-link their device via a QR code every six hours. This periodic re-authentication is designed to reduce account takeover attacks and remote misuse.

The government emphasizes that these restrictions ensure every active account and its web sessions are tied to a Know Your Customer (KYC)-verified SIM. This enhances traceability, allowing authorities to identify numbers used in various scams, including phishing, investment fraud, digital arrest scams, and loan scams. These measures are an extension of similar SIM-binding practices already in place for banking and instant payment apps using India's Unified Payments Interface (UPI).

Combating Cross-Border Fraud

Officials stated that the SIM-binding directions are crucial for closing a security gap exploited by bad actors for large-scale, cross-border fraud. The ability for accounts to remain active after SIM removal or deactivation abroad facilitated criminal activities using Indian numbers without fresh verification. The six-hour auto-logout for web versions aims to shut down these prolonged sessions and force re-authentication, significantly reducing the scope for account takeover and mule account operations.

Industry Response and User Impact

While some cybersecurity professionals have raised concerns about potential workarounds, industry groups like the Cellular Operators Association of India (COAI) have welcomed the move, noting that mandatory SIM binding strengthens the link between users, their numbers, and devices, thereby reducing spam and financial scams. For users, the changes may introduce minor inconveniences, such as the need for periodic re-authentication on web versions, but are expected to lead to a more secure messaging experience. Platforms that fail to comply face penalties under the Telecommunications Act, 2023.

Sources

• India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse, The Hacker News.

• India mandates SIM-linked messaging apps to fight rising fraud, Security Affairs.

• India Mandates Active SIM Link For Messaging Apps, Evrim Ağacı.

• DoT Enforces SIM-Binding To Curb Messaging App Cyber Fraud, The Cyber Express.

• DoT Orders WhatsApp, Telegram, Others To Comply Within 90 Days, NDTV Profit.