India’s Department of Telecommunications has issued a new directive for messaging apps. They must now ensure that their platforms only work with an active SIM card linked to the user’s mobile number.
This move targets major messaging services in India, including WhatsApp, Telegram, and Signal, which use Indian mobile numbers for user identification. Compliance is mandated within 90 days.
The directive amends the Telecommunications (Telecom Cyber Security) Rules, 2024. This is a critical step to combat phishing, online scams, and other cyber frauds. More details on the amendment can be found at dot.gov.in.
A key issue addressed is that many accounts continue to function even after the associated SIM card is removed or deactivated, enabling anonymous fraudulent activities. Remote ‘digital arrest’ scams using Indian numbers are a particular concern.
The DoT explained that long-lived web and desktop sessions allow fraudsters to control victims’ accounts from distant locations, complicating investigations. This bypasses the need for the original device or SIM.
Under the new rules, app-based communication services must maintain a continuous link to the active SIM card in the device, making operation without it impossible.
Additionally, web sessions of these messaging platforms will be automatically logged out every six hours. Users will need to re-link their device, possibly via a QR code, if necessary.
These measures aim to significantly reduce account takeover attacks, misuse through remote control, and the operation of ‘mule’ accounts by cybercriminals.
The requirement for repeated re-linking introduces extra friction, forcing threat actors to re-authenticate and prove ongoing control over an account.
Ultimately, these restrictions ensure that every active messaging app account and its web sessions are tied to a Know Your Customer (KYC)-verified SIM. This will allow authorities to trace numbers involved in various scams. Further information is available in a DoT statement: pib.gov.in.
These SIM-binding and automatic session logout protocols are already in place for banking and instant payment apps using India’s Unified Payments Interface (UPI) system. The new order extends this crucial security policy to messaging applications.
The DoT is also establishing a Mobile Number Validation (MNV) platform. This platform aims to curb the rise of ‘mule’ accounts and identity fraud linked to unverified mobile numbers in financial and digital services.
The MNV platform will allow service providers and government agencies to validate if a mobile number genuinely belongs to the person whose credentials are on record. This is expected to enhance trust in digital transactions. Another press release covers this: pib.gov.in.
Google has also taken steps in India, thwarting over 115 million attempts to install malicious applications. This proactive stance underscores the ongoing struggle against digital threats, as detailed in recent reporting. Related coverage notes these efforts.
Further safeguards include a new pilot feature in India that alerts Android 11+ users when sensitive apps are opened during screen sharing calls with unfamiliar contacts, offering an immediate end to such calls. This adds another layer of protection.
Moreover, Google is developing Enhanced Phone Number Verification (ePNV), a new Android protocol designed to bolster sign-in security by replacing less secure SMS OTP flows with SIM-based verification. This is a significant improvement.
The landscape of mobile threats remains complex, with sophisticated Android trojans like BankBot-YNRK and DeliveryRAT actively stealing financial data. BankBot-YNRK notably targets numerous banking applications in India and Southeast Asia. Reports highlight the evolving tactics of these malicious programs.
Additionally, the misuse of NFC for payment data theft is a growing concern, with hundreds of Android applications identified exploiting this vulnerability since April 2024, emphasizing the need for constant vigilance against mobile fraud.