Why SIM binding is key to securing India’s digital communications

As cyber fraudsters increasingly exploit loopholes in app-based communication services, the Department of Telecommunications has moved to strengthen India’s digital security framework through mandatory SIM binding and periodic web-session logouts.

Issued under the Telecom Cyber Security Rules, 2024, these directions seek to ensure that mobile-number–based services remain continuously linked to a live, KYC-verified SIM, improving traceability without compromising user privacy.

While implementation may pose technical challenges, the measures address a critical national security concern, curb misuse of Indian numbers from abroad, and reinforce trust in the country’s rapidly expanding digital ecosystem

ITS DOT is committed to making India a cyber-secure nation. In pursuit of this commitment, it has been observed that some of the App-Based Communication Services that are using mobile numbers for identification of their customers for the provision of services, allow users to access their services without a SIM in the device.

This feature is being misused by cyber fraudsters, especially those operating from other countries. The cyber criminals log into apps using inactive SIM cards, and, as there is no record of the actual location of the phone because of the absence of a SIM card inside the device, it is very difficult to track and trace the criminals.

This issue has been flagged by many government bodies and an inter- ministerial group. There has been a need that the users App app-based communication services are identifiable at all times without violating rules on users privacy and data.

After elaboratediscussions with the major App-Based Communication Service providers (WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, Jiochat, Signal), DOT issued certain directions to them on 28.11.2025 under the Telecom Cyber Security (TCS) Rules, 2024. These directions were issued to prevent misuse of telecom identifiers and to safeguard the integrity and security of the telecom ecosystem. It may be noted that TCS rules were not notified on 22nd October 2025as part of the Telecommunications Act.

As per these directions of DOT, (1) App-Based Communication Service should be continuously linked to the SIM card (mobile number used during sign-up) installed in the device. If the SIM is removed, replaced or inactivated, the service should not function until the original SIM is restored and revalidated.

(2) Web or desktop service of the App shall be logged out periodically (not later than 6 hours), allowing the facility to the user to relink the device using the QR code.

The implementation of these directions shall be completed in 90 days, and reports shall be submitted in 120 days. Failure of these firms to implement these directions would attract penalties.

As per the regulation passed by DOT, a company that uses mobile numbers as identifiers is now a “Telecommunication Identifier User Entity (TIUE)" and is regulated under the Telecom Act.

The mobile number, not the email address, is the prime identifier for most online services in India. In case they don’t want to abide by the SIM binding direction of DOT, they should not use the mobile number as an identifier.

The SIM binding is essential to plug a security gap that cyber criminals are exploiting to commit digital fraud. Accounts on instant messaging and calling Apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote digital arrests, frauds, and impersonating calls using Indian numbers.

Long-duration web/desktop sessions allow fraudsters to control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing. A session can currently be authenticated once on a device in India and then continue to operate from abroad, allowing criminals to run scams using Indian numbers without any fresh verification.

Auto-logout once every 6 hours shuts down such long web sessions and forces periodic re-authentication with control of the device/SIM, reducing the chance for account takeover, remote access misuse and mule account operations.

Frequent re-authentication forces criminals to repeatedly prove control of the device/SIM. This auto-logout mandate is only for the web version and not for the App version.

Mandatory continuous SIM/ device binding and periodic logout feature ensure that every active account and web session is anchored to a live, KYC verified SIM, leading to traceability of mobile numbers used in phishing, digital arrests and scams.

The above uniform, enforceable directions are measures to prevent misuse of telecom identifiers, ensure traceability, protect citizen’s trust in India’s digital ecosystem and strengthen national security. Complying with these directions will ensure that our communication channels are not exploited freely from outside India by fraudsters who pose a grave threat to national security and citizen safety.

SIM binding does not create new metadata categories. Device binding and automatic session logout are already used in banking portals, DigiLocker and payment Apps to prevent account takeover, session hijacking and misuse from untrusted devices. For example, on the UPI App, money can’t be transferred if there is no active SIM in the device.

The benefits of the above directions of DOT outweigh any perceived inconvenience. Technical challenges, if any, for implementing the above DOT directions should be addressed quickly. The app-based communication Service providers have to work on the necessary backend adjustments to comply with these DOT directions.

Users abroad can continue accessing services through Wi-Fi while keeping their Indian SIM in the secondary slot of a dual SIM phone, and of course, they have to pay roaming charges to the Indian TSP. Apart from SIM binding, the DOT will be setting up a Mobile Number Verification (MNV) platform that will be used to verify if the mobile number belongs to the right person and is not being misused.

(The author is a former Advisor, Department of Telecommunications (DoT), Government of India)