India's Department of Telecommunications (DoT) has issued sweeping new cybersecurity directives requiring all app-based communication service providers operating in India to enforce continuous verification that users maintain active SIM cards linked to their accounts. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, mandates that messaging platforms including WhatsApp, Telegram, Snapchat, Signal, Arattai, ShareChat, Josh, and JioChat comply within 90 days, fundamentally restructuring how these services operate to combat sophisticated cross-border fraud operations that exploit telecommunications identifiers.
The DoT's directive specifically targets what authorities describe as a critical vulnerability enabling remote fraud operations. Currently, accounts on instant messaging and calling applications continue functioning even after associated SIM cards are removed, deactivated, or physically moved abroad. This design feature intended for user convenience has created opportunities for criminals to conduct anonymous scams, "digital arrest" frauds, and government-impersonation calls using Indian mobile numbers without maintaining physical presence in India.
"Long-lived web/desktop sessions let fraudsters control victims' accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown," the DoT stated in its Monday announcement. "A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification."
This operational gap has enabled organized fraud networks to establish accounts using Indian telecommunications identifiers, authenticate them once within India's jurisdiction, then operate indefinitely from foreign locations beyond law enforcement reach while maintaining the appearance of domestic operations.
The new directive establishes two fundamental requirements that messaging platforms must implement:
Continuous SIM-Binding Verification: App-based communication services must continuously verify that the SIM card originally used for registration remains active and installed in the device. If the SIM is removed, deactivated, or replaced, the messaging account must immediately cease functioning until re-verification occurs with an active, KYC-verified SIM card.
Mandatory Six-Hour Session Logout: All web and desktop instances of messaging platforms must automatically log out users every six hours, requiring re-authentication through device-based QR code scanning or similar verification methods. This periodic re-linking requirement forces threat actors to repeatedly prove control over both the device and the active SIM card, substantially increasing operational friction for fraud networks.
By forcing periodic re-authentication, Indian authorities aim to reduce several specific attack vectors:
Account Takeover Prevention: Continuous verification makes it substantially harder for attackers who have compromised credentials to maintain persistent access without also controlling the physical device and SIM card.
Remote Control Mitigation: Fraudsters operating from foreign locations can no longer maintain indefinite control over Indian-registered accounts after initial authentication.
Mule Account Disruption: The regulations target "mule accounts" legitimate accounts fraudulently transferred or rented to criminal networks for scam operations by requiring ongoing verification that the original registered user maintains control.
The DoT noted that SIM-binding and automatic session logout requirements already apply to banking applications and instant payment platforms using India's Unified Payments Interface (UPI) system. The latest directive extends these proven security measures to messaging and communication platforms, recognizing that these apps have become primary vectors for phishing, investment fraud, digital arrest scams, and loan fraud operations.
The continuous verification requirement ensures that every active messaging account and associated web session remains tied to a Know Your Customer (KYC)-verified SIM card, enabling law enforcement to trace mobile numbers used in fraudulent communications back to verified identities.
The directive arrives alongside the DoT's announcement of a forthcoming Mobile Number Validation (MNV) platform designed to combat identity fraud stemming from unverified linkages between mobile numbers and financial or digital services. The MNV platform will enable service providers to validate through a decentralized, privacy-compliant system whether mobile numbers genuinely belong to individuals whose credentials are registered with services.
"This mechanism enables service providers to validate, through a decentralized and privacy-compliant platform, whether a mobile number used for a service genuinely belongs to the person whose credentials are on record thereby enhancing trust in digital transactions," the DoT stated.
As of this report, WhatsApp and Signal have not publicly commented on the directive. The 90-day implementation timeline requires substantial technical architecture modifications for platforms that currently support persistent web sessions and offline messaging functionality.
The regulations reflect India's broader strategy of asserting regulatory control over digital communication infrastructure to combat sophisticated fraud operations exploiting telecommunications systems. However, the mandatory six-hour logout requirement may significantly impact user experience, particularly for professionals and businesses relying on persistent desktop messaging access throughout workdays.