India Mandates SIM-Binding and Frequent Re-Verification for Messaging Apps to Combat Fraud
The Indian government has introduced new regulations requiring messaging apps such as WhatsApp, Telegram, Signal, and Snapchat to operate only with active SIM cards linked to users’ phone numbers. This move is intended to curb the rising incidents of cyber fraud and misuse, particularly those perpetrated from outside the country using Indian mobile numbers. Under the new rules, web and desktop sessions must automatically log out within six hours, and users will be required to re-verify their accounts frequently. Messaging app providers have 90 days to implement these changes and 120 days to report compliance, as part of an amendment to the 2024 Telecom Cyber Security Rules.
The Department of Telecommunications (DoT) stated that the previous ability to maintain long-lived sessions without an active SIM was being exploited for large-scale, cross-border scams, phishing, and other fraudulent activities. By enforcing SIM-binding and frequent re-verification, authorities aim to close this security loophole and make it more difficult for criminals to operate anonymously or from abroad using Indian identifiers. The new measures are a direct response to the increasing sophistication of cybercriminals targeting Indian users through messaging platforms.
Sources
Related Stories
India Mandates Pre-Installation of Sanchar Saathi Cybersecurity App on Smartphones
India's telecommunications ministry has issued a directive requiring all major smartphone manufacturers, including Apple, Samsung, Vivo, Oppo, and Xiaomi, to preload a government-backed cybersecurity app called Sanchar Saathi on all new devices within 90 days. The app, which cannot be deleted or disabled by users, is designed to combat telecom fraud, spam, and malicious activity by allowing users to report suspicious calls, block stolen handsets, and monitor the number of mobile connections registered in their name. The government order also mandates that devices already in the supply chain receive the app via a software update, raising concerns among industry players and privacy advocates about the lack of prior consultation and potential privacy implications. Sanchar Saathi has already been installed over 11.4 million times and has played a significant role in blocking more than 4.2 million lost devices and recovering over 700,000 phones since its launch. The app's features include the ability to report international calls spoofed as domestic, helping authorities crack down on illegal telecom exchanges that facilitate scams and pose national security risks. The move underscores India's efforts to strengthen telecom cybersecurity amid a rapidly growing mobile user base exceeding 1.2 billion subscribers, but it also places the country alongside others like Russia in mandating pre-installed government software on consumer devices.
3 months ago
Mobile Messaging Account Compromises and Spyware Threats
Security researchers and intelligence analysts have documented a series of incidents and trends highlighting the risks to mobile messaging accounts and devices. In December, a new form of WhatsApp account hijacking called GhostPairing was identified, where attackers trick users into linking an attacker-controlled browser to their WhatsApp device, potentially exposing sensitive information. Separately, researchers uncovered large-scale scraping of WhatsApp's contact discovery tool, resulting in the exposure of billions of phone numbers and associated profile data. Meanwhile, spyware threats targeting both iPhone and Android users have escalated, with zero-click attacks enabling adversaries to compromise devices and access encrypted messaging apps such as WhatsApp and Signal. Apple and Google responded by patching vulnerabilities believed to be exploited by commercial spyware like Predator, and the US CISA issued warnings about the active targeting of mobile messaging applications. In another high-profile case, the Iranian-linked Handala hacking group claimed to have fully compromised the mobile devices of two Israeli officials. However, forensic analysis revealed that only their Telegram accounts were breached, not the entire devices. The attackers likely used techniques such as SIM swapping, SS7 exploitation, and phishing to gain access, exposing gaps in session management and account security on encrypted messaging platforms. These incidents underscore the growing sophistication of attacks against mobile messaging services and the need for robust security measures, including privacy controls, passkey-encrypted backups, and vigilance against phishing and SIM-based attacks.
2 months agoSouth Korea Mandates Facial Recognition for SIM Registration to Combat Scams
South Korea has announced a new policy requiring facial recognition scans for individuals registering new mobile phone numbers, aiming to curb the widespread use of stolen identities in telecom-related scams. The Ministry of Science and ICT stated that the initiative, which will be implemented by the country's three major mobile carriers and mobile virtual network operators, is designed to prevent criminals from using stolen or fabricated IDs to activate SIM cards. The new requirement will compare the photo on an official identification card with a real-time facial scan, making it significantly harder to register devices under false names. This measure follows a series of high-profile data breaches and a surge in voice phishing scams, with over 21,000 cases reported in 2025 alone. The policy is set to take effect on March 23, following a pilot phase, and will leverage existing digital credential apps such as “PASS” to store and verify biometric data. Recent incidents, including the massive data breach at SK Telecom that exposed SIM card data of nearly 27 million subscribers, have highlighted the vulnerabilities in South Korea’s telecom sector. Authorities have responded with stricter penalties for carriers failing to prevent scams and have imposed significant fines for poor security practices, such as storing credentials in plaintext and lacking basic access controls. The government hopes that the new facial recognition requirement will restore trust and reduce the risk of identity-based telecom fraud.
2 months ago