New Directives for App-Based Communication Services
In a significant move aimed at bolstering cybersecurity, India’s Department of Telecommunications (DoT) has mandated that app-based communication service providers implement measures to ensure that their platforms require an active SIM card linked to the user’s mobile number. This directive specifically targets popular messaging applications such as WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal, which must comply within a 90-day timeframe.
The recent amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024, is a proactive step to mitigate the misuse of telecommunication identifiers, which have been exploited for phishing, scams, and various forms of cyber fraud. The DoT emphasized that these SIM-binding requirements are essential to close security loopholes that have been leveraged by malicious actors to perpetrate cross-border fraud.
In a statement released on Monday, the DoT highlighted the ongoing vulnerabilities: “Accounts on instant messaging and calling apps continue to function even after the associated SIM is removed, deactivated, or relocated abroad, facilitating anonymous scams and fraudulent activities.” The department pointed out that long-lived web or desktop sessions allow fraudsters to maintain control over victims’ accounts from remote locations without needing the original device or SIM, complicating efforts to trace and dismantle such operations.
The newly issued directive outlines several key requirements:
- App-based communication services must remain continuously linked to the SIM card installed in the device, rendering the app unusable without that active SIM.
- The web service instance of the messaging platform will be logged out every six hours, requiring users to re-link their device via a QR code if necessary.
This periodic re-authentication process is designed to reduce the risk of account takeover attacks and misuse of remote control features. By introducing additional friction into the user experience, the government aims to ensure that potential threat actors must repeatedly prove their control over the accounts they seek to exploit.
Moreover, the DoT noted that these restrictions will ensure that every active account on the messaging app, along with its web sessions, is linked to a Know Your Customer (KYC)-verified SIM. This linkage will facilitate the tracing of numbers involved in phishing, investment scams, digital arrests, and loan frauds.
It is important to mention that similar SIM-binding and automatic session logout rules are already in effect for banking and instant payment applications utilizing India’s Unified Payments Interface (UPI) system. The extension of this policy to messaging apps marks a significant expansion of regulatory oversight in the digital communication landscape.
In conjunction with these directives, the DoT recently announced the establishment of a Mobile Number Validation (MNV) platform aimed at addressing the rise of mule accounts and identity fraud linked to unverified mobile number associations with financial and digital services. This platform will allow both telecommunication identifier user entities (TIUEs) and government agencies to validate whether a mobile number genuinely belongs to the individual whose credentials are on record, thereby enhancing trust in digital transactions.
