T.V. Ramachandran, Honorary FIET (London) and President, Broadband India Forum
Scam calls, phishing messages, fake loan offers and identity theft have become everyday hazards for millions of citizens. This mass-scale threat is eroding trust in digital communications and inflicting serious financial and psychological harm. It is, therefore, both necessary and welcome that India’s fight against cyber fraud has intensified.
Against this backdrop, the Department of Telecommunications, on November 28, 2025, issued a directive under the recently amended Telecom Cyber Security Rules, mandating SIM-binding for a select set of app-based communication services and some social media services. The directive requires messaging and calling applications that use mobile numbers for user identification to remain continuously linked to the specific SIM card associated with that number, effectively preventing the use of the app if that SIM is not active. It also mandates periodic log-outs of web and desktop versions of such applications, with re-authentication through QR code-based re-linking.
The objective that the directive intends to achieve is to prevent the misuse of telecommunication identifiers and curb frauds originating from outside India by strengthening the link between users, devices and mobile numbers. While this path is paved with good intentions, the SIM-binding approach, in its current form, begins to appear both limited in effectiveness and fraught with unintended risks when we examine how cyber fraud actually operates and how modern digital communication ecosystems function.
Chokepoint at SIM issuance
The recent amendments and the directive requiring SIM-binding for app-based communication services rest on one basic assumption, that is, fraud flows from apps being insufficiently tied to SIM cards. The evidence suggests otherwise. Most cyber frauds originate not from messaging apps, but from compromised SIM issuance.
Across the country, law enforcement agencies have repeatedly uncovered SIM box rackets, fake identity networks, and mass procurement of mobile connections through forged documents or corrupt retailers. In the past year alone, authorities blocked more than 6.6 lakh fake SIMs and deactivated over 78 lakh connections obtained through fraudulent KYCs.
This is the real choke-point. Criminals do not really need a communication app to commit fraud, they need large numbers of SIM cards that appear legitimate. Once they have them, they can use SMSs, voice calls or any app to reach victims. Binding apps to SIMs does nothing if the SIM itself is fake. In fact, it risks institutionalising a false sense of security, that is, “this account is SIM-verified”, when the SIM may already have been obtained illegally.
From a technical standpoint
The technical reality makes SIM-binding even less workable. Modern smartphones are deliberately designed so that apps cannot access sensitive SIM identifiers like IMSI, precisely to protect user privacy and prevent tracking. With this directive, OS providers would have to forego this privacy preserving mechanism. By compelling applications to rely on SIM-binding as a means to establish the identity of the user, the directive forces the collection or processing of data beyond what is required or necessary, exposing platforms to compliance and liability risks. This approach also undermines the very privacy-by-design principles that modern mobile platforms were built to uphold.
Further, in the absence of clarity on the frequency and manner in which SIM-binding is to be enforced, it is likely that repeated OTP-based verification would be enforced. The SMS is a decades-old, unencrypted channel that is itself vulnerable to interception and spoofing. Paradoxically, such a directive that is meant to enhance security would end up forcing apps to rely more heavily on one of the weakest links in the system.
At scale, such costs could be substantial, particularly for high-volume communication and authentication workflows, while also introducing operational inefficiencies, delays and user friction. Repeated OTP prompts risk disrupting legitimate use cases such as multi-device access, enterprise messaging, automated systems and API-driven workflows that do not involve SIM-enabled endpoints.
Cost for the everyday user of a mobile number
The impact on everyday users would be significant. For millions of people, the use of mobile numbers to log in to these messaging apps is a simple and efficient convenience. They use these services seamlessly across phones, tablets, laptops and desktops. Small businesses run customer support services on shared devices. Families and gig workers routinely switch SIMs to manage costs or coverage. A regime that forces users to re-authenticate, log out, or lose access whenever a specific SIM is not present or inactive will disrupt legitimate daily activity far more than it inconveniences organised criminals.
Modern digital life is built around continuity across devices and networks. SIM-binding introduces a fragile dependency into this ecosystem, one that ordinary users will feel every time a phone is repaired, a SIM is replaced, a device is shared, or a user travels or works primarily on Wi-Fi.
Back to the blurring of regulated layers
At the heart of this debate is a surprisingly simple question, that is, what is a mobile number? Inside a telecom network, it is a routing and signalling resource controlled by licensed operators. But in the digital world, the same digits are used as an identifier, for example, your WhatsApp ID, your shop’s contact details, your bank alert reference, even part of an email address. When a messaging app delivers a message, it does not send it “to the SIM”. It sends it to your app, which operates over the internet layer, not at the network layer. The number here functions like a username, not a telecom identifier.
This distinction matters, not just technically but legally. India’s Telecommunications Act allows only licensed telecom operators to use “telecommunication identifiers” as network resources. However, the definition of a “telecommunication identifier user entity” as provided in the Telecom Cyber Security Rules assumes that apps are “using” such identifiers merely because they use a mobile number as a function within the app to assign a username.
Taken to its extreme end, treating every use of a mobile number as telecom activity would pull banks, e-commerce platforms, government portals and even small shops into telecom regulation simply because their service is linked to the mobile numbers. This would be a natural consequence of redefining a mobile number’s application-layer function as telecom “use”. That was never the intent of the law and it would create enormous uncertainty for India’s digital economy.
A related flaw in the SIM-binding approach is the implicit assumption that app-based communication services operate only over mobile data networks. In reality, these applications are designed to function over any internet connection, including a fixed line connection, or a home broadband connection, or public Wi-Fi networks or enterprise broadband, and even when the device is placed in airplane mode with mobile connectivity switched off. As long as an internet connection is available, the app continues to work normally, independent of the mobile network. This architectural reality underlines the distinction between telecom connectivity and internet-based services, that is, while telecom networks provide access, they do not control how applications authenticate users or deliver messages once that access exists. Any regulatory measure that assumes a permanent dependency on mobile data misconstrues how modern digital communication actually functions.
Case for consultation: Find better, more effective ways to fight fraud
SIM-binding may look tough, but toughness is not the same as effectiveness. If India truly wants to protect its citizens from digital fraud, it must fix the leak at the source, that is, fake and compromised SIMs, rather than regulating the wrong layer of the system.
There are better ways to fight cyber fraud. Strengthen SIM issuance and retailer accountability. Clean up legacy fake SIMs. Use modern, encrypted verification tools already being deployed by global telecom standards bodies instead of insecure SMSs. Banks and lenders already rely on behavioural and network-level analytics to flag suspicious activity and similar approaches can be applied to communications fraud.
Most importantly, this is an area that demands consultation. Measures that reshape how core communication services function, that implicate privacy, platform design and hundreds of millions of users cannot be crafted in isolation. Even more so when such a mandate is going to be a first-of-its-kind requirement globally, and rushing through it without inputs from telecom operators, digital platforms, consumer groups and security experts could lead to unintended consequences. Cybersecurity is too important to be left to one-dimensional solutions. It is strengthened by informed design, cross-sector coordination and solutions that target the real sources of risk. That must be the aim of any regulation and the process by which such regulation is conceived is as consequential as the outcome it seeks to achieve.
(With research inputs by Sundeep Kathuria and Shubhika Saluja. The views presented in the above article are the personal views of the author.)
