The government has recently mandated continuous SIM-device binding for instant messaging applications, citing cyber-fraud losses exceeding Rs 22,800 crore in 2024 alone. The Ministry of Communications announced the move on Monday, calling it "essential to plug a concrete security gap" that cybercriminals are exploiting for large-scale, often cross-border, digital frauds. Now, in a release, the ministry has clarified that these rules will have no impact on standard use.
Plugging the Security Gap
The Department of Telecommunications (DoT) emphasised that the SIM-binding directions are a proportionate measure under the Telecom Cyber Security Rules, designed to prevent the misuse of telecom identifiers, ensure traceability, and protect public trust in India's digital ecosystem.
The core issue being addressed is the current ability of accounts on instant messaging and calling apps (such as WhatsApp, Telegram, and Signal) to remain active even after the associated SIM is removed, deactivated, or moved abroad. The DoT release highlighted how this security lapse enables:
- Anonymous scams and remote 'digital arrest' frauds.
- Government-impersonation calls using Indian numbers.
- Criminals operating from outside the country.
How the new directives work
The mandate requires that every active account and web session be anchored to a live, KYC-verified SIM. This restores the traceability of numbers used in various scams, including phishing, investment frauds, digital arrest scams, and loan scams.
| Feature | Description |
Impact on Security
|
| Mandatory Continuous SIM-Device Binding | The app-based communication service will only function if the associated SIM is present and active in the user's device. |
Prevents criminals from running scams using Indian numbers without fresh verification.
|
| Periodic Session Logout | Web/desktop sessions will automatically log out every six hours (app versions are unaffected). |
Shuts down long web-sessions and forces periodic re-authentication, sharply reducing scope for account takeover, remote-access misuse, and mule-account operations.
|
| Re-authentication | Frequent re-authentication forces criminals to repeatedly prove control of the device/SIM. |
Increases friction and detectability for fraudulent activity.
|
No impact on standard use
The Ministry of Communications assured that the new direction does not affect cases where the SIM is present in the handset and the user is on roaming. The mechanism is similar to security measures widely used in banking and payment apps to prevent account takeover and misuse from untrusted devices.
The directive impacts all players providing app-based communication services in India, including WhatsApp, Telegram, Signal, Arattai, Snapchat, Sharechat, Jiochat, and Josh. All these services have been directed to submit compliance reports to the DoT within 120 days. The department warned that failure to comply will lead to action under the Telecommunications Act, 2023, and other applicable laws.
The DoT asserted its commitment to making India a cyber secure nation.
ALSO READ: BSNL relaunches viral Rs 1 Freedom Plan following massive customer demand
