There is a well-known loophole that permits bad actors to automate the process of creating and abusing accounts with popular messaging apps despite each user supposedly being individually authenticated. Apologies to those regular readers who already know about this method, but it needs to be spelled out in simple terms because there are national authorities and so-called experts who never propose any mitigations because they remain ignorant of the issue.
- A bad actor obtains or rents a new SIM, perhaps through a cybercrime-as-a-service outfit which manages many thousands of SIMs by placing them in simboxes.
- Being a new SIM, there is no history of usage indicative of illegal or unethical intent.
- The SIM is used one time to ‘authenticate’ a new account with WhatsApp, Telegram, Snapchat or some other online communication service (OCS) that runs over the top of data networks.
- A lack of subsequent controls over the content of communications disseminated using the OCS, which may be encrypted end-to-end, gives the bad actor the freedom to spam or scam many victims.
- As the SIM is only needed one time to create the OCS account, it may then be used to create OCS accounts on different platforms, or it may be retired from use. There is no information about the SIM or the phone number that can be used to identify the abuse of communications services unless an OCS provider notices anomalous behavior on its platform or users complain about receiving spam or scam communications.
The use of large banks of simboxes run by criminals who obtain hundreds of thousands of SIMs, coupled with the use of software to automate the creation of OCS accounts and then the sending of messages, has resulted in an exponential rise in the number of abusive accounts on some OCS platforms. It is not in the interests of businesses like Meta, which owns WhatsApp, to admit they have a runaway problem with accounts created and run by bots. They would rather pretend they are benefiting from spectacular organic growth which they brag about to the stock market in order to further inflate the price of shares. But the Indian government, unlike some other governments, has not been fooled. Indian authorities have been monitoring the huge rise in the abuse of WhatsApp and other services, partly as a consequence of criminals migrating to OCS platforms following the imposition of tightened controls over older parts of the comms ecosystem, including A2P SMS.
India’s proactive approach to consumer protection means WhatsApp is obliged to report how many accounts associated with Indian mobile phone numbers have been banned each month. The figures starkly portray the rapid automation of networked crime. We regularly scrape the data for the Commsrisk Global Fraud Dashboard and the trend line for banned Indian WhatsApp accounts is unambiguous. Over 98 million Indian WhatsApp accounts were banned during the first 10 months of 2025. That compares to 92 million bans for the whole of 2024, 76 million during 2023, and 28 million during 2022.
Now India will make it harder to exploit the weak authentication of OCS customers. Per an order issued by the Indian government, OCS providers have until the beginning of March to bind each service to a customer’s SIM. Users who access their OCS service via the web, as opposed to using an app on their phone, must be periodically logged out. A device containing the original SIM will then need to be used to log the user back in again. This has obvious advantages from a security perspective. Cybercrime-as-a-service operations that run simboxes will have many more SIMs in total than the number of slots in their simboxes. Retaining the SIM and repeatedly reinserting it into the simbox would hugely increase the work required to keep an OCS account live. It also gives telcos a chance to identify patterns of behavior indicative of crime. Put simply, if a SIM is repeatedly used to authenticate OCS accounts, but is never used for anything else, then the user is not genuine.
Frauds orchestrated from scam compounds in countries like Cambodia have been facilitated by allowing users to log on to OCS services through the web. This means the actual user of a service can be in a different country to the SIM that was used for the original authentication. Disrupting the way criminals remotely log on to OCS services is a good way to disrupt the most serious cross-border scams that plague the general public. Per the new order, users will need to be logged out of web-based OCS services at least every 6 hours. OCS providers covered by the order will need to report on their compliance 30 days after it comes into effect. Those OCS providers include:
- Telegram
- Snapchat
- Signal
- Arattai
- Sharechat
- Josh
- Jiochat
Indian telcos have welcomed the government’s intervention. This is not surprising; criminals add to the costs of mobile operators by seeking to obtain large amounts of SIMs for illicit purposes. Indian telcos are also upset that traditional voice and SMS services have been subjected to a plethora of anti-scam regulations without similar rules being applied to OCS comms services. The Cellular Operators Association of India (COAI), whose members include Reliance Jio, Bharti Airtel and Vodafone Idea, lauded the new SIM binding rule as…
…a landmark step towards bolstering national security and safeguarding our citizens.
It goes without saying that the big US platforms that profit most from spam and scam activity, and which spend most on buying politicians and whitewashing their reputations, have deployed one of their own associations to oppose the Indian government’s order. Broadband India Forum (BIF), an association backed by Meta and Google amongst others, issued a statement calling for a delay in implementation, as if Meta cannot read their own reports about how severe the problem of spam and scam WhatsApp accounts has become. Instead of offering any constructive proposals, their argument focused on whether the Indian government has the legal power to impose the new direction.
The Telecommunications Act does not authorise the regulation of OTT communication platforms, nor does it provide the legislative basis to impose telecom-style operational mandates upon them. Yet, under the guise of the Telecom Cyber Security Amendment Rules and without any public consultation, the present SIM-binding directions extend precisely such obligations, that too on a select set of applications.
The directions go beyond the statutory remit, blur settled jurisdictional boundaries between the Telecom Act and the IT Act. This is a problematic instance of regulatory overreach by the
executive without legislative sanction and unfortunately, any stakeholder engagement.
This tactic is copied straight from the playbook written by US internet businesses. Instead of suggesting ways to protect the public from harm, they immediately threaten to spend heavily on lawyers in order to fight new laws and regulations in court. Telcos have always been heavily regulated, but internet platforms grew fat while doing almost nothing to protect the public from harm. They want to continue receiving the same indulgent treatment, not least because the most successful internet platforms are headquartered in the USA, whose politicians are easily bought and whose courts are stuffed with vexatious suits from businesses that have stripped the US government of the power to act.
It is time for telcos to stop subsidizing the profits of greedy internet platforms that put the public at risk. They need to work with governments to arrive at a fairer distribution of the responsibilities involved in consumer protection. One way that telcos subsidize OCS providers is through the sham of ‘authentication’ that is not genuine authentication. The OCS providers are passing the buck by pretending they know a customer is legitimate just because an account has been associated with a phone number on a single occasion. Some telcos foolishly considered this a good deal — they got the short-term boost of adding more SIMs to their nominal user base but only by volunteering for the ever-increasing burden involved in determining who all these users really are.
I grow more impressed with India’s strategy for spam and scam reduction as each month goes by. So much of the so-called ‘news’ about consumer protection comes from US corporations that either want to maintain the status quo, or hope to make it worse by finding ways to charge consumers for additional checks. What we really need is for costs to be better linked to profits. If a business profits by adding a new user, it should pay the cost for determining that user is authentic. The Indian government keeps drawing new lines in the sand, achieving results on behalf of the public that others say are impossible, and challenging the US corporations that would like to dictate how (little) consumers are protected worldwide.
The use of SIM binding in India will inevitably draw howls of protest from some quarters. It is probable that Meta’s lobbyists have already written briefing papers explaining why other countries should disregard the precedent set in India. They will aggressively reiterate their stance at every opportunity, and will spend heavily on so-called ‘anti-scam collaborations’ as a way of ensuring they control the narrative. When I look at which countries are making real progress with tackling spam and scam traffic, I see that India keeps displaying the understanding, imagination and dynamism to implement novel consumer protection controls, despite the nasty parochialism of Americans who want to blame Indians for scams while turning a blind eye to the ways that multinational corporations enable them. There is only one other thing I would ask the Indian authorities to do: spend more time explaining why other countries should follow their lead.
You can read the Indian Department of Telecommunication direction on SIM binding for OCS services here.
