New Delhi, Dec 1 (PTI) Pegging cyber-fraud losses at over Rs 22,800 crore in 2024 alone, the government on Monday said its latest directions on mandatory, continuous SIM-device binding for use of messaging apps are "essential to plug a concrete security gap" that cybercriminals are exploiting to run large-scale, often cross-border, digital frauds.

The direction does not affect the cases where the SIM is present in the handset, and the user is on roaming, the Ministry of Communications assured in a release.

"DoT’s SIM-binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large-scale, often cross-border, digital frauds. Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote `digital arrest' frauds and government-impersonation calls using Indian numbers," the release said.

With cyber-fraud losses topping Rs 22,800 crore in 2024 alone, "these uniform, enforceable directions under the Telecom Cyber Security Rules are a proportionate measure to prevent misuse of telecom identifiers, ensure traceability, and protect citizens’ trust in India’s digital ecosystem", it emphasised.

Device binding and automatic session logout are widely used in banking and payment apps to prevent account takeover, session hijacking and misuse from untrusted devices and accordingly extended to app-based communication platforms that are now "central to cyber frauds".

"DoT is committed to make India a cyber secure nation," it asserted.

The Ministry observed that some of the App-Based Communication Services that are utilising Indian mobile numbers for identification of their customers/users or for provisioning or delivery of services, allowed users to use the services without the availability of the underlying Subscriber Identity Module (SIM) within the device in which the App-Based Communication Services were running.

This feature, the Ministry said, is being misused to commit cyber-frauds especially from operating outside the country.

"Mandatory continuous SIM–device binding and periodic logout ensure that every active account and web session is anchored to a live, KYC-verified SIM, restoring traceability of numbers used in phishing, investment, digital arrest and loan scams," it said.

The Ministry pointed out that long-lived web/desktop sessions let fraudsters control victims’ accounts from distant locations without needing the original device or SIM, which complicates tracing and takedown.

"A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification," it said.

Auto-logout every six hours (only for web version, not for app version) shuts down such long web-sessions and forces periodic re-authentication with control of the device/SIM, sharply reducing scope for account takeover, remote-access misuse and mule-account operations, it added.

Frequent re-authentication forces criminals to repeatedly prove control of the device/SIM, raising friction and detectability, the release added.

It is pertinent to mention here that the Centre has issued directions that would ensure app-based communication services, the likes of WhatsApp, Signal, Telegram, and others, are continuously linked to a user's active SIM card.

All players providing app-based communication services in India have been asked to submit compliance reports to the Department of Telecommunications (DoT) within 120 days from the issue of the directions.

The department warned that failure to comply with norms will attract action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, and other applicable laws.

The directive would impact how users access services of messaging apps, including WhatsApp, Telegram, Signal, Arattai, Snapchat, Sharechat, Jiochat, and Josh in India. The Centre's latest directive means that these messaging services would only work if the SIM is present and active in the user's device. PTI MBI MBI MR