SIM-Binding Mandatory: DoT Orders WhatsApp, Telegram, Others To Comply Within 90 Days

The Department of Telecommunications has directed app-based communication firms to ensure that their services operate on mobile phones only when connected to a SIM card.

The directions also mandate them to complete the implementation in 90 days and submit the report in 120 days. The DoT's SIM‑binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large‑scale, often cross‑border, digital frauds, the release said.

Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote “digital arrest” frauds and government‑impersonation calls using Indian numbers.

Long‑lived web/desktop sessions let fraudsters control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown.

A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification.

An feature for Auto‑logout every six hours (it's only for web version and not for App version) shuts down such long web-sessions and forces periodic re‑authentication with control of the device/SIM, sharply reducing scope for account takeover, remote‑access misuse and mule‑account operations.

Frequent re‑authentication forces criminals to repeatedly prove control of the device/SIM, raising friction and detectability.   

Mandatory continuous SIM–device binding and periodic logout ensure that every active account and web session is anchored to a live, KYC‑verified SIM, restoring traceability of numbers used in phishing, investment, digital arrest and loan scams.

The direction does not affect the cases where the SIM is present in the handset and the user is on roaming. With cyber‑fraud losses exceeding Rs 22,800 crore in 2024 alone, these uniform, enforceable directions under the Telecom Cyber Security Rules are a proportionate measure to prevent misuse of telecom identifiers, ensure traceability, and protect citizens’ trust in India’s digital ecosystem.

Device binding and automatic session logout are widely used in banking and payment apps to prevent account takeover, session hijacking and misuse from untrusted devices and accordingly extended to app‑based communication platforms that are now central to cyber frauds.