WhatsApp, Telegram, Signal: India makes it mandatory for platforms to function with active SIM cards only

New Delhi: Logging into WhatsApp Web will soon require frequent verification, as sessions will now automatically expire every six hours and users will be prompted to re-link their device via a QR code.

India has made it mandatory for messaging platforms such as WhatsApp, Telegram, and Signal to function only when linked to an active SIM card associated with an Indian mobile number.

The government said this “SIM-binding” measure is crucial to closing security loopholes that enable cybercriminals — including those operating from abroad — to carry out large-scale digital fraud.

The Department of Telecommunications (DoT) has directed app-based communication services to ensure that their platforms cannot be used without continuous SIM authentication.

Under the amended Telecommunications (Telecom Cyber Security) Rules, 2024, platforms such as WhatsApp, Telegram, Snapchat, Arattai, ShareChat, Josh, JioChat, and Signal — which authenticate users through Indian mobile numbers — must comply with the new security requirements within 90 days. It is also clarified that the direction does not affect cases where the SIM is present in the handset, and the user is on roaming.

Currently, app-based communication services link to a subscriber’s mobile SIM card only during installation and verification. These applications continue to function even if the SIM is removed, replaced, or deactivated.

Why is this for?

The move aims to prevent misuse of telecom identifiers for phishing, scams, cyber fraud, and cross-border crime.

The DoT said the change addresses a key vulnerability where accounts continue to remain active even after the associated SIM card is removed, deactivated, or used abroad.

Long-running web or desktop sessions have allowed scammers to remotely control victim accounts from outside the country without needing the original device or SIM.

This loophole has made it difficult to trace and disable fraudulent operations conducted using Indian numbers.

Key directives issued

Messaging services must remain continuously linked to the SIM card installed on the user’s device.

Apps must become unusable if the linked SIM becomes inactive.

Web and desktop sessions must automatically log out every six hours, requiring re-verification via QR code.

The government said periodic re-authentication will reduce account takeovers, remote misuse, and mule account operations by forcing threat actors to repeatedly prove control over devices.

Tying every active account to a KYC-verified SIM will improve traceability of numbers involved in phishing, investment scams, “digital arrest” extortion, and fraudulent loan recovery operations.

Similar SIM-binding rules are already in place for UPI-based banking and payment apps. The new directions extend the security mandate to messaging platforms as well.

All players offering app-based communication services in India have been asked to submit compliance reports to the Telecom Department within 120 days of the directive.