Skip to main content

Indian govt is mandating social media apps to bind apps with SIM card

    



The Department of Telecommunications (DoT) has issued new directives requiring app-based communication platforms to ensure their services cannot be used without an active SIM card. This move follows the introduction of the Telecommunication Cybersecurity Amendment Rules, 2025, which expand telecom regulations to include a new category called Telecommunication Identifier User Entity (TIUE).

Under these amended rules, TIUEs must meet several cybersecurity requirements. One major requirement is the mandatory use of a Mobile Number Validation (MNV) Platform to verify users linked to a mobile number. Additionally, the government now has the authority to instruct TIUEs to stop using specific telecom identifiers for user verification or service delivery if needed.

Why these rules matter

When the TIUE framework was first proposed, experts raised concerns that the definition was too broad. Because TIUE includes any organisation that uses mobile numbers to identify or serve customers, it could technically apply to food delivery apps, service platforms, or even local stores sending digital receipts.

The DoT’s new directions—sent to WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat and Josh—make it clear that these major communication platforms are being treated as TIUEs. They must now:

  • Ensure that their apps remain continuously linked to the user’s active SIM card within 90 days.

  • For web or browser-based access, log users out every six hours and require them to re-authenticate via QR code.

Why SIM-binding?

The government observed that several apps continue functioning even when the associated SIM card is removed, replaced, or deactivated. According to the DoT, this loophole is increasingly exploited from outside India to commit cyber fraud.

This concern aligns with the Cellular Operators Association of India (COAI), which earlier advocated for continuous SIM bindings. COAI noted that most apps use SIM verification only during the initial setup, allowing the service to work independently even after the SIM is removed. This makes it difficult for authorities to trace misuse since they lose access to key identifiers like call logs, carrier records, and location data.

COAI believes persistent SIM binding will:

  • Prevent app use without the authenticated SIM in the device.

  • Improve traceability between the user, the mobile number, and the device.

  • Reduce fraud, spam, and unauthorised communication.

  • Help curb financial scams carried out via OTT communication apps.

Industries already using SIM-binding

Many financial platforms—including banks and UPI apps—already require an active SIM to operate.
Earlier this year, SEBI proposed making SIM-binding mandatory for trading accounts as well, along with biometric verification, to prevent unauthorised trades.

But will SIM-binding actually reduce fraud?

Cybersecurity experts are skeptical. At a 2023 MediaNama event, researcher Anand Venkatnarayan explained that professional scammers often use rented or fake IDs to easily obtain new SIM cards. They rarely reuse SIMs; instead, they purchase them in bulk, rendering SIM binding less effective. According to him, criminals need only a few fake IDs a year to continue scamming operations.

During MediaNama’s earlier discussions on the draft Rules, professionals raised similar doubts. MediaNama Editor Nikhil Pahwa highlighted that the DoT’s video KYC system (ASTR), in use for two years, has not significantly reduced fraud. He questioned how applying the same identifier across more services would suddenly improve security.

COAI responded that the government aims to maximise the value of telecom data since mobile numbers are the most frequently updated and closely monitored KYC identifiers.

Full text of DoT’s directive (summary)

The DoT has formally invoked its powers under the Telecommunications (Telecom Cyber Security) Rules, 2024, and their 2025 amendment, to issue the following directives:

  1. Within 90 days, app-based communication services must ensure that their service cannot operate without the specific active SIM card used during registration.

  2. Within 90 days, web versions of these apps must log users out every six hours and allow re-linking via QR code.

  3. TIUEs must submit compliance reports to the DoT within 120 days.

  4. Non-compliance will result in action under the Telecommunications Act, 2023, Telecom Cyber Security Rules, and other applicable laws.

  5. These directions take effect immediately and remain in force until changed or withdrawn.


Labels:

Popular posts from this blog

AT&T Resets Millions of Customer Passcodes After Data Leak: What You Need to Know

AT&T recently confirmed a significant data breach affecting over 7.6 million current customers and 65 million former customers. The leaked information, which dates back to 2019 or earlier, includes personal details like names, addresses, phone numbers, and social security numbers. Fortunately, financial information and call history were not compromised. In response to the breach, AT&T has reset passcodes for affected customers. Passcodes, usually four-digit numbers, serve as an additional layer of security when accessing accounts. However, security experts warn that the encrypted passcodes leaked alongside customer information could be easily deciphered, posing a risk of unauthorized account access. Affected customers are advised to set up free fraud alerts with major credit bureaus and remain vigilant for any suspicious activity related to their accounts. AT&T is proactively reaching out to impacted customers via email or letter to inform them about the breach and the meas...
Read more

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'...
Read more

Facebook is shutting down news tab in US and Australia

Meta, formerly known as Facebook, is making big changes to how it handles news content on its platform. It's planning to remove the news tab from Facebook in the U.S. and Australia by April 2024. This decision follows the discontinuation of Facebook News in the UK, Germany, and France last year. The number of people using Facebook News in Australia and the U.S. has dropped significantly, which influenced Meta's decision. The company wants to focus more on what users enjoy, like short-form videos, rather than news articles. News content makes up less than 3% of what people see on their Facebook feed, so most users might not even notice this change. Over time, publishers have also noticed less traffic coming from Facebook to their websites. This move is partly because of new regulations in countries like Australia and Canada, which require platforms like Facebook to pay online publishers for their content. Meta has decided not to invest in new news-related products and won't ...
Read more