1. News
  2. Explained

Why Were OTP Services in India Disrupted on Monday?

Invalid date 4 min read

Monday was a day of chaos for lakhs of customers across the country as the functioning of banks, e-commerce and payment companies was hit by a mobile messaging outage.

This involved the disruption of several crucial services, including the non-delivery of one-time passwords (OTPs). As much as 40% of traffic was impacted as of Monday evening.

Many customers were unable to pay online, transfer funds, place e-commerce orders or book tickets. Also affected were Aadhaar-related procedures and COVID-19 vaccination drive schedules via the CoWIN platform.


The Crux of the Matter

Unsolicited Commercial Communications (UCCs) aka spam calls and fake messages are a big issue. These unsolicited texts include messages trying to dupe readers with fraudulent claims as well as phishing attempts.

Fake messages are a big deal, especially in a country like India, which averages one billion daily commercial SMS deliveries and is the world’s second-largest mobile-first digital economy. The Government has announced a nodal agency called the Digital Intelligence Unit (DIU) to investigate such offenses. Furthermore, the Telecom Regulatory Authority of India (TRAI) had fined eight telcos ₹35cr ($4.78m) collectively for failing to clamp down on fake SMSes. (Most of this penalty was levied on BSNL.)

FYI: OTPs are seen as superior to passwords in that they are difficult to track and exploit since they keep changing. An OTP is valid only for one login session and only for a certain period of time. OTP generation algorithms usually make prediction of successor OTPs by hackers difficult through the use of randomness and also cryptographic hash functions.


Rules of the Roost

To tackle spam, TRAI framed the Telecom Commercial Communication Customer Preference Regulations (TCCCPR), a set of rules that was updated in 2018 to include these points:

  1. Advices the adoption of blockchain technology vis-a-vis Distributed Ledger Technology (DLT) to ensure regulatory compliance. A DLT is a system which is a decentralised digital database that allows for storage of information in a secure and accurate manner using cryptography.
  2. Companies that seek to send bulk commercial SMSs and calls need to register themselves with a DLT platform. This list includes companies, banks, payment companies and Government agencies.
  3. Telecom Service Providers (TSPs) have to verify telemarketers seeking registration with them before granting access to their customer data and also take action immediately against fraudulent telemarketers. In this way, telemarketers will be accountable to telcos, who will be accountable to TRAI.


Enter, Judiciare

Last month, the Delhi High Court directed TSPs to strictly implement the TCCCPR. It asked telcos to register the message templates to ensure that only authentic messages get through to customers. (This process is called “scrubbing”.) Messages from entities that are not registered or messages that don’t follow the official format would be simply blocked.

The court also took notice of the use of fake, official-looking SMS headers (a combination of six characters representing the name of the message sender aka Sender ID) by scammers to dupe customers.

FYI: The court was responding to a plea by Paytm’s parent One97 Communications Ltd, which claimed that phising activities and telcos’ failure in preventing the same had defrauded millions of its customers and “caused financial and reputational loss”.

Telcos like Jio, Airtel and Vi began implementing the new rules from midnight on Sunday (i.e. 00:00 hours). Many companies were taken by surprise and many were unprepared, unregistered or dolling out content that didn’t adhere to the set format. Ergo, the SMS disruptions.


War of Words

As customers faced delays and the failure rate climbed to 40%, complaints mounted on banks’ and companies’ desks. Officials blamed telcos for faulty implementation of the new system. The Indian Banks’ Association reached out to TRAI and the RBI, seeking postponement of the regulation.

TSPs, in turn, defended their systems and said the new rules were being implemented under court orders and they were given ample time to make the requisite changes. The Cellular Operators Association of India (COAI), which represents TSPs, also highlighted that the implementation of the new rules was long due and delayed on account of lack of readiness in industry circles.

Telcos allowed some relaxation as the day progressed (including for critical systems such as the vaccination drive and Aadhaar). However, it was made clear that this leniency would be for only a couple more days, following which if companies failed to adhere to the TCCCPR, their messaging services would be discontinued.

Going forward, there could be a rush from companies to get themselves registered at the earliest so that their messages are not blocked. In the meantime, the lack of a sure-shot OTP system may be ripe for an increase in cybercriminal activity. On that note, here are some tips on how to spot an SMS scam.


The cut-throat world of Business and Finance means that there is fresh News everyday. But don't worry, we got you. Subscribe to TRANSFIN. E-O-D and get commentaries like the one above straight to your inbox.