SIM-Binding Mandatory: DoT Orders WhatsApp, Telegram, Others To Comply Within 90 Days
The DoT's SIM‑binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large‑scale, often cross‑border, digital frauds.
The Department of Telecommunications has directed app-based communication firms to ensure that their services operate on mobile phones only when connected to a SIM card.
Some of the app-based communication services that are utilising Indian mobile numbers for identification of its customers/users or for provisioning or delivery of services, allows users to consume their services without availability of the underlying SIM within the device in which app-based communication services are running. This feature is being misused to commit cyber-frauds, especially from operating outside the country, according to a release by the Ministry of Communications.
The issue of SIM binding in messaging apps and its misuse has been raised by multiple government bodies or agencies and an inter-ministerial group. The DoT reported having multiple discussions with major app-based communication services providers on the feasibility and importance.
The body then issued directions to such firms on Nov. 28 under the Telecom Cyber Security Rules to prevent the misuse of telecommunication identifiers and to safeguard the integrity and security of the telecom ecosystem. These include WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, Jiochat and Signal.
Directions mandate such App Based Communication Services to –
Ensure that the app-based communication services are continuously linked to the SIM card (associated with Mobile Number used for identification of customers/users or for provisioning or delivery of services) installed in the device, making it impossible to use the app without that specific, active SIM.
Ensure that the web service instance of the Mobile App, if provided, shall be logged out periodically (not later than six hours) and allow the facility to the user to re-link the device using QR code.
The directions also mandate them to complete the implementation in 90 days and submit the report in 120 days. The DoT's SIM‑binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large‑scale, often cross‑border, digital frauds, the release said.
Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote “digital arrest” frauds and government‑impersonation calls using Indian numbers.
Long‑lived web/desktop sessions let fraudsters control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown.
A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification.
An feature for Auto‑logout every six hours (it's only for web version and not for App version) shuts down such long web-sessions and forces periodic re‑authentication with control of the device/SIM, sharply reducing scope for account takeover, remote‑access misuse and mule‑account operations.
Frequent re‑authentication forces criminals to repeatedly prove control of the device/SIM, raising friction and detectability.
Mandatory continuous SIM–device binding and periodic logout ensure that every active account and web session is anchored to a live, KYC‑verified SIM, restoring traceability of numbers used in phishing, investment, digital arrest and loan scams.
The direction does not affect the cases where the SIM is present in the handset and the user is on roaming. With cyber‑fraud losses exceeding Rs 22,800 crore in 2024 alone, these uniform, enforceable directions under the Telecom Cyber Security Rules are a proportionate measure to prevent misuse of telecom identifiers, ensure traceability, and protect citizens’ trust in India’s digital ecosystem.
Device binding and automatic session logout are widely used in banking and payment apps to prevent account takeover, session hijacking and misuse from untrusted devices and accordingly extended to app‑based communication platforms that are now central to cyber frauds.
