Post

SIM Binding For Messaging Apps: Fixing Cybercrime With A Sledgehammer

Posted Updated
By Maheep Kumar
11 min read
SIM Binding For Messaging Apps: Fixing Cybercrime With A Sledgehammer

From March 2026, India’s new SIM-binding mandate will change how apps like WhatsApp, Telegram, and Signal work for hundreds of millions of users. The intent is noble - curbing an explosion of cybercrime - but the method feels less like using a hammer on a nail and more like swinging a sledgehammer straight through the plank.

The cybercrime crisis the state is staring at

Over the last few years, cybercrime has gone from a background nuisance to a full-blown national headache. Fraudsters run large-scale “digital arrest” scams, investment cons, and impersonation calls that often appear to come from legitimate Indian numbers, but are operated from across borders.

The numbers tell a grim story

The scale of the problem is staggering and accelerating year-on-year:

YearComplaints on NCRPReported Losses
2021452,000-
20221.03 million-
20231.6 million~$900 million
20242.27 million~$2.7 billion
20252.82 million~$2.6 billion

Sources: DD News, The420.in, The Print

That’s a 6x increase in reported complaints in just four years. The monetary losses nearly tripled between 2023 and 2024 alone - a 206% jump. And these are just the reported figures; the true scale, once you factor in under-reporting, is far uglier.

The types of fraud paint an equally worrying picture:

  • Investment scams are the biggest threat, accounting for 76% of total financial losses and 35% of all cases in 2025 (Insights on India).
  • Digital arrest scams - where fraudsters impersonate CBI, ED, or police officials over video calls to coerce victims into transferring money - contributed 9% of financial losses. In just two months of 2025, 17,718 such incidents were reported, with losses of ~$25 million (The420.in).
  • Despite 2.8 million cases reported in 2025, only 55,484 FIRs were actually filed, often due to jurisdictional complexity (MediaNama).

From the state’s perspective, this is not a few bad actors; it’s a systemic threat that piggybacks on gaps in telecom and messaging infrastructure.

I felt this shift in my own life even before SIM binding entered the picture. Remember the wave of public-service announcements over calls - voiced by instantly recognizable figures like Amitabh Bachchan - warning us to never share OTPs and to hang up on “KYC update” scammers? At one point, those warnings became their own sort of ambient harassment for me: every time I dialled a number, I first had to sit through yet another lecture on cyber fraud. The fact that those PSAs were plastered everywhere told you how worried the state was, but also how blunt and intrusive mass awareness campaigns can become when they are used as the primary defence.

What the government is trying to do with SIM binding

The SIM-binding directive is the next step in that same fight, but pushed down into the technical plumbing instead of just announcements. Issued by the DoT on November 28, 2025 under the Telecom Cyber Security (TCS) Rules, 2024, the directive gave platforms a 90-day compliance window, with full enforcement starting March 1, 2026.

Under the new rules, major app-based communication services (WhatsApp, Telegram, Signal, Snapchat, ShareChat, etc.) must ensure that your account is continuously tied to the specific SIM card and number that you used to register.

In practice, that means:

  • SIM removal = app stops working. If the SIM is removed, deactivated, or swapped for another, the messaging app should stop working until you insert and re-verify the original SIM.
  • Forced re-authentication on web/desktop. Web and desktop sessions must periodically log out (roughly every few hours) and force you to re-link using the primary phone that has the active SIM inside.
  • Multi-device features are broken by design. Running WhatsApp on companion phones or tablets without the primary device being online is constrained or outright broken.

From the government’s point of view, this plugs a very real vulnerability. Today, once you register a messaging app with a SIM, you can remove that SIM, move abroad, junk the original number, and still keep the account running over Wi-Fi indefinitely. That gap lets criminals run scams that look like they originate from India-registered numbers, without any live, KYC-verified SIM sitting in an Indian network.

So the intent is to anchor every messaging identity to a live, traceable telecom identity - just like UPI apps already do for financial transactions. On paper, that sounds reasonable. In reality, the way it’s being enforced risks wrecking a lot of legitimate use cases along the way.

The sledgehammer problem: fixing one gap by breaking everything around it

The best analogy I have for SIM binding is this: you have a tiny but serious crack in one plank of your floor, and instead of carefully repairing it, you swing a sledgehammer through it, damaging the entire floorboard. The nail (cybercrime) is real; the chosen tool is overkill.

Some of the collateral damage is obvious even before rollout:

International travel becomes a headache

Many Indians travel with a local SIM from the destination country or a roaming eSIM, while their Indian number may be inactive, parked in another phone, or simply left at home. Today, they happily use their India-registered WhatsApp over Wi-Fi for family chats and OTP-free communication. Under SIM binding, if that Indian SIM isn’t physically in the device and active, their WhatsApp and similar apps can simply stop working.

Multi-device productivity takes a hit

If you use WhatsApp Web or a desktop app as part of your work stack, SIM binding means frequent forced logouts and re-authentications. The era of “authenticate once, then keep the tab pinned for weeks” is effectively over; you must keep your phone with the SIM handy and online, even if your actual work happens on a laptop or tablet.

Companion devices and tablets lose their charm

Features that let you run messaging apps independently on Wi-Fi-only tablets or secondary phones without a SIM are fundamentally at odds with continuous SIM presence. These are not niche edge cases; they’re normal patterns for families, small businesses, and power users.

All of this friction lands on legitimate users. Meanwhile, serious attackers can adapt by shifting to foreign numbers, non-KYC channels, or encrypted platforms outside the mandate. Some will be slowed; very few will quit.

Why messaging apps exist - and what this directive does to that logic

Part of why this directive feels so heavy-handed is because it collides with the original economic logic of messaging apps.

For years, telecom operators priced SMS and voice calls in a way that made frequent communication expensive and inflexible: pay per SMS, per minute, with opaque packs and complex validity rules. OTT apps like WhatsApp, Viber, and others undercut this model by converting communication into an internet problem: pay for data once, then message and call virtually for free.

The impact was dramatic:

  • Telco revenue from voice calls and SMS has fallen sharply over the last decade.
  • Data revenue’s share per user has grown many-fold in the same period; the money is now in data pipes, not in metered SMS or per-minute calling.

In other words, messaging apps exist not just because they are “cool technology,” but because they broke a pricing chokehold that telecom operators had over basic communication. Users moved to WhatsApp and friends for freedom: cheap, borderless, device-agnostic communication.

SIM binding does not directly bring back old per-SMS tariffs, but it does something subtler: it drags messaging apps back into the orbit of telecom infrastructure constraints. When your WhatsApp identity is effectively welded to a specific KYC-verified SIM, and that SIM’s lifecycle and geography dictate whether you can talk freely, the original promise of decoupling communication from telco control gets diluted.

It’s not that OTT apps will vanish. They will still likely be cheaper and richer than old-school SMS. But the direction of travel is worrying: from open, device-agnostic, border-agnostic messaging back toward a world where your SIM’s whims - roaming, inactivity, expiry, KYC friction - decide whether your digital life keeps running.

Are we targeting the right layer?

There’s a more surgical way to look at the problem. The abuse the government cites is real: criminals use gaps in SIM lifecycle management, weak number recycling practices, and anonymous or poorly verified channels to run scams at scale.

But a lot of that can be addressed at layers below the OTT apps:

  • Stronger SIM lifecycle controls and stricter KYC enforcement on telcos, including rate-limiting suspicious activations and enforcing cooling-off periods.
  • Better fraud-detection frameworks across banks, payment providers, and telecom operators, including shared intelligence on patterns of scam campaigns.
  • Smarter, more targeted awareness campaigns instead of blanket audio spam on every phone call.

In that world, messaging apps might still need to cooperate - through better reporting tools, metadata sharing under due process, and safeguards for suspicious behaviour - but they would not be shackled to a particular physical SIM in a way that breaks everyday, legitimate use.

The current directive skips a lot of that nuance. It solves one concrete issue - accounts lingering long after SIMs die or move abroad - by imposing a continuous-SIM-presence requirement that punishes millions of honest users for the sins of a much smaller criminal ecosystem.

A softer alternative: flag unbound accounts instead of killing them

There is at least one middle-ground that hurts users less, even if it is still far from perfect.

Instead of forcing hard SIM binding for every session, platforms could:

  • Keep accounts working even when the original SIM is absent or inactive, but mark those accounts internally as “unbound” or “SIM-inactive”.
  • Surface that state to recipients with a visible warning: “This account is not currently linked to an active SIM. Be cautious before sharing sensitive information.”
  • Let high-risk use-cases (banking integrations, business accounts, large group admins) use stricter policies: block or rate-limit actions when the account is unbound, or require extra verification.

This doesn’t magically stop determined scammers, and it isn’t a silver bullet any more than the government’s existing protections are. Serious attackers can still keep one “mule” SIM active per scam farm, or rotate through freshly KYC-abused numbers. But it would sharply reduce a specific class of abuse: long-lived, completely detached accounts quietly running over Wi-Fi for months after the SIM that created them is dead, recycled, or sitting in a drawer.

If nothing else, it changes the default posture from “everyone looks equally trustworthy” to “if the plumbing underneath an account looks off, the app will at least tell you so.” It is still a bad option in the abstract - leaky, game-able, not mathematically clean - but it is a less bad option than torching multi-device and travel use-cases for hundreds of millions of people.

And if we really want to lean into nostalgia, there’s a darkly funny twist: whenever a call or message comes in from an unbound account, the app could play a short warning on the receiver’s side - in the same instantly recognizable voice that has been lecturing us about OTPs for years. If Amitabh Bachchan telling us “OTP mat batayiye” at the start of every phone call was the prologue to this SIM-binding chapter, maybe a gentler Bachchan warning on suspicious, unbound accounts is the only ending that makes emotional sense.

Security versus freedom to communicate

We’re living through a period where every big technology choice is framed as security versus convenience. SIM binding is being sold in exactly those terms: “Yes, your life will be slightly more inconvenient, but look at all the fraud we’ll prevent.”

The problem is not acknowledging the trade-off; the problem is pretending it’s a small one. For travellers, for remote workers, for families juggling multiple devices, and for anyone who embraced messaging apps precisely because they freed communication from telco shackles, this directive is not a minor tweak. It’s a structural change in how our digital identities relate to our SIM cards.

Cybercrime is real. The government’s intent to tackle it is right. But if the only tools we can imagine are awareness calls that wear you down and infrastructure rules that treat every user like a suspect, we will eventually fix the floor by making everyone afraid to walk on it.

I’d rather see a system that treats SIM binding as an option for high-risk contexts - say, financial transactions or enterprise accounts - rather than a blanket rule for every casual “good morning” message and family call. Until then, we should at least be honest about what we’re giving up in the name of safety: not just convenience, but a measure of the freedom that made messaging apps worth using in the first place.

India Cybercrime Telecom Privacy SIM Binding
This post is licensed under CC BY 4.0 by the author.

© 2026 Maheep Kumar. Content licensed under CC BY 4.0 unless stated otherwise.

Using the Jekyll theme Chirpy.