India Mandates SIM-Binding: WhatsApp and Telegram Users Must Re-verify Every 6 Hours

India’s Department of Telecommunications has issued a new directive to both domestic and international developers of major instant-messaging platforms, requiring that users must not be able to access these services or send messages unless their accounts are linked to a valid SIM card associated with an Indian mobile number.

Platforms such as WhatsApp, Telegram, Snapchat, Arattai, ShareChat, Josh, JioChat, and Signal — all of which rely on Indian phone numbers for user identification — have been given 90 days to comply.

Following the 2024 amendment to India’s Telecom (Telecom Network Security) Rules, which intensified efforts to combat phishing, fraud, and cybercrime involving misused telecom identifiers, the department stated that SIM-binding is essential to closing security gaps exploited by cross-border criminal operations.

Under the new requirement, messaging apps must automatically log users out every six hours. If the system cannot detect an active SIM card linked to the account, the user will be unable to log back in. The intended benefit is clear: if an account is compromised, it can be rendered unusable within a maximum of six hours.

According to the department, previously an account could remain active even if the associated SIM card had been removed, deactivated, or relocated abroad. This allowed anonymous fraud, remote phishing scams, and impersonation of Indian government officials using Indian phone numbers to flourish.

Long-lasting browser or desktop sessions also enabled fraudsters to control victims’ accounts remotely without possessing the original device or SIM card — significantly complicating detection and enforcement. Under the old model, a single device verification within India was sufficient to keep a session running inside or outside the country, enabling scammers to exploit Indian numbers without passing any fresh checks.

The new rules sharply constrain account validity: users may access their accounts only if their linked phone number and SIM card remain active. Messaging platforms must also implement KYC (Know Your Customer) verification for every active account, allowing Indian law-enforcement agencies to trace phishing operations, investment scams, and other forms of fraud using real-identity data.

Domestic Indian messaging services are expected to comply with minimal resistance. Whether foreign platforms — especially privacy-focused ones such as WhatsApp and Signal — will adhere to these requirements, however, remains uncertain.

Related Posts:

• FCC Takes Aim at SIM Swapping Fraud, Protecting Consumers from Billions in Losses
• Android Sideloading Crackdown: Google to Verify All Apps, But Promises Power-User Bypass