So, say you’re browsing through Amazon or Flipkart and you find something you’d like to purchase. You pick up your credit card to make the payment and then, an OTP (One-Time Password) is sent to your registered mobile number. If that OTP isn’t entered within a specific time frame, then that transaction isn’t authenticated. That way, only if you truly are the owner of the card, can you complete the purchase. This helps prevent someone who’s unauthorized from making purchases even if they, somehow, have your card details.
So, OTPs have, kind of, played an important role in the rise of India’s digital infrastructure for securing transactions, logging in and more.
However, there are still some vulnerabilities. There’s something called phishing, where people could be tricked into revealing sensitive information, like an OTP or your username or password or credit card number. An email or text message or link is sent to you that seems like it could come from a trusted source, like a bank or an e-commerce site you constantly engage with. Then, you would be directed to a fake website that looks legit, where you’re asked to enter personal information, which goes to the malicious actor.
There’s, also, something called SIM swapping, where someone’s mobile number could be transferred to another SIM Card. Someone could contact your mobile service provider, posing as you and could provide some of your personal details. That way, the mobile service provider could be convinced to transfer your number to a new SIM Card.
Another thing is the issue of social engineering attacks. Here, the malicious actor impersonates someone you might trust, like IT support or someone from your bank. They gain your confidence by being friendly or sweet and then, ask for sensitive details, like OTPs or account numbers or passwords. There are, even, times when an OTP is directly requested with a claim that there’s an urgent need for it to verify a transaction.
These are all ways to bypass the security of an OTP.
In 2023, India was said to have experienced around 80 million phishing attacks, seemingly making it the third-most targeted country in the world. So, if there are these cyber threats predominant in India how are regulatory bodies reacting?
From November 1 2024, TRAI (Telecom Regulatory Authority of India) is said to be establishing protocols to augment OTP security. It seems to want to trace every message’s source to fight scams and make sure every OTP message is actually legit. How does that work?
A Principal Entity (PE) is a company that’s registered with telecom service providers to send bulk SMS communications to customers. Every message these PEs send would have to come through a properly registered system or “chain”, which means that every message has to be traceable. So, if there’s a mistake in the chain, the telecom companies would have to block the message and telecom operators would have to scrub and verify the origin of every message. Any message that falls short gets rejected.
That sounds cool, theoretically.
But, telecom companies don’t seem to be ready for this new move, because, in India, there might be more than a billion commercial messages being transmitted daily. Telecom companies are said to be warning that this could lead to OTPs getting blocked by accident, if the new rules are enforced too soon. So, they’d like a little more time to make sure the messages go through smoothly without disrupting important alerts, like OTPs. Or else, some are proposing that discrepancies could be recorded, but not blocked, till December 2024. That way, PEs could make their systems better, because if a genuine OTP is not delivered, then many transactions would not be completed.
And what is TRAI looking to deal with those traceability requirements? Blockchain might be the answer if there’s an immutable or tamper-proof record of all communications. Each PE may have to submit their URL or their numbers or some embedded links to telecom operators. Then, the data may have to be cross-referenced with the database of the Blockchain platform. If a URL is modified or a number is altered, then, the message could be flagged or blocked.
So, there could be opportunities for Blockchain ventures in India to get in touch with telecom companies.
But, maybe, PEs aren’t really jiggy with the Blockchain platform, so there are some tech gaps to be plugged. All of this could be slightly troublesome for e-commerce companies or online banking or other spaces that rely on OTP authentication in a limited timeframe. If a platform has a digital payment gateway and transactions fail, then user attrition just might be imminent, hurting revenue. A lot of startups, anyway, might be having low-margin transactions, so that could hurt their user acquisition.
But, would anything change if OTPs were being sent through WhatsApp? After all, it’s said that India has the largest number of WhatsApp users globally with close to 540 million active users, as of May 2024. There’s said to be an additional layer of security with WhatsApp’s encryption. So, maybe, that could minimize the odds of OTPs being intercepted. Yet, maybe, switching the OTP traffic to WhatsApp may be troublesome for users dealing with weak Internet connections.
But, if they’re able to access platforms that require an OTP for transactions, then their Internet is working fine at that time. Though, would WhatsApp be able to handle scale as efficiently as SMS services have so far? SMS services may be equipped to deliver mass messages. According to WhatsApp, it is not intended for bulk or automated messaging, which is said to be a violation of its ToS. So, that just might limit the frequency at which OTPs are sent. But, could WhatsApp Business’ API be used to standardize the delivery of OTP?
It might, but the risk of impersonation might still be there. So, the onus might be on WhatsApp to showcase its registered business accounts properly.
What do you think? Where will your next OTP come from? Or would it not be delivered at all?