India mandates SIM-linked messaging apps to fight rising fraud

India ordered messaging apps to work only with active SIM cards linked to users’ phone numbers to curb fraud and misuse.

India’s Department of Telecommunications (DoT) now requires providers of messaging apps to work only with active SIM cards linked to users’ numbers to prevent fraud and misuse.

“The Department of Telecommunications (DoT) has observed that some of the App Based Communication Services that are utilizing Indian Mobile Number for identification of its customers/users or for provisioning or delivery of services, allows users to consume their services without availability of the underlying Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running. This feature is being misused to commit cyber-frauds especially from operating outside the country.” reads the announcement published by the DoT.

Indian Government now requires messaging apps such as WhatsApp, Telegram, Signal, Snapchat, and others that rely on Indian mobile numbers as user identifiers to comply with new SIM-binding rules within 90 days. The amendment to the 2024 Telecom Cyber Security Rules aims to curb fraudulent activities such as phishing, scams, and cyber fraud by preventing the misuse of telecom identifiers.

Web sessions must auto-logout within six hours. Apps have 90 days to implement and 120 days to report. The measure aims to close a security gap exploited for large-scale, cross-border fraud, where accounts stay active even after a SIM is removed, deactivated, or taken abroad.

“Long‑lived web/desktop sessions let fraudsters control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown. A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification.” continues the statement. “Auto‑logout every 6 hours (its only for web version and not for App version) shuts down such long web-sessions and forces periodic re‑authentication with control of the device/SIM, sharply reducing scope for account takeover, remote‑access misuse and mule‑account operations. Frequent re‑authentication forces criminals to repeatedly prove control of the device/SIM, raising friction and detectability.”

Mandatory SIM–device binding and periodic logouts tie every account and web session to a live, KYC-verified SIM, improving traceability in phishing, digital arrest, loan and investment scams. The rule doesn’t affect users roaming with their SIMs. With cyber-fraud losses topping ₹22,800 crore in 2024, these Telecom Cyber Security measures aim to curb identifier misuse and restore trust. Similar device-binding practices used in banking are now extended to communication apps heavily abused in cyber fraud.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, messaging apps)