Explained: What’s happening to our OTPs?

Had all of us on Monday taken a shot of water whenever we blamed our internet, perpetual bad luck and God for not receiving the one time password (OTP) to book train tickets, buy those gorgeous boots and take an appointment for a Covid-19 vaccination shot online, we’d be a well-hydrated country.  

But why did we not get our OTPs? 

Here’s what happened. The government started the second phase of implementation of the new SMS guidelines under the Telecom Commercial Communication Customer Preference (TCCCP) Regulations, 2018. And it was glitchy.  

That’s why those boots are now out of stock.  

You’re not alone, see? 

@CSCUttarPradesh @CSCegov_ @dintya15 @sanchitsrivas12 Dear Sir I am unake to https://t.co/dqk621dl6k csc app because I when I am trying to register, unable to receive OTP. Please short our the problem aap. CSC Id-350868680017

— Chandan Sharma (@cnsharma200_) March 9, 2021

What is this I hear about Telcos blocking OTP from Banks, e-com companies?

— Surendra Tapuriah (@Bobbycal) March 9, 2021

@CSCegov_ @BiharCsc I am clear my TEC exam And I got my TEC certificate no But when I am going to ragister my self I am not get any otp. Please Help me pic.twitter.com/nFYgnpW2cF

— Firoz Alam (@falam5675) March 9, 2021

What is this TCCCP regulation though? 

In 2018, the Telecom Regulatory Authority of India (TRAI) notified the TCCCP Regulations to curb spam calls and messages, and prevent the general public from being duped. 

The guidelines under the rules required companies and government organisations to register their SMS content templates and associated sender IDs – an SMS header representing the name of the organisation – on blockchain-based Distributed Ledger Technology (DLT) platforms deployed by telecom service providers (TSPs). 

The aim was to verify all messages and calls against this database and ensure that only registered parties are able to communicate with you, and block fraudsters and telemarketers. 

However, the result of the implementation on Monday was the opposite. The Economic Times, citing people in the know, said that about 40% of a billion commercial SMS delivered everyday were being disrupted.  

That regulation sounds good on paper! 

It does. Had its implementation been smooth, we no longer could have used the excuse of phone calls getting lost amid spam to not call back that ear-chewing colleague.  

The principal entities, which includes banks, companies, and other government organisations, were supposed to register with DLTs of Jio, Airtel, Vi, and BSNL before March 8, when the guidelines were set to be implemented.  

However, many of these stakeholders seem to have missed the deadline. 

As a result, legitimate communication from their end, including transactional OTPs and other verification codes, ended up getting blocked, throwing our lives into chaos.  

Due to unregistered SMS template, in compliance to the TCCCP Regulations... many Companies, Banks, Others OTP SMS are not getting deliver. Today was the Last Date. It Seems Banks are submitting template today and it will take time to approve.#InfoSec #OTPSMS #OTP #SMS pic.twitter.com/wnK5wPMy68

— Rajshekhar Rajaharia (@rajaharia) March 8, 2021

SP Kocchar, director general of the Cellular Operators Association of India, told The Economic Times that TSPs had sent various notifications to the entities to register and prepare for the implementation of the regulation.  

The organisations, on the other hand, have blamed telecom companies for the lax implementation of DLT, the report said. The Indian Banks Association, it said, has reached out to TRAI and the Reserve Bank of India to push the implementation of the new regulations. 

To recall, the Delhi High Court had directed TRAI to ensure strict and complete implementation of TCCCP regulation early last month. 

TechCircle’s queries to banks and telecom companies did not elicit a response at the time of publishing the story. 

Cybercrime risks  

As we twiddle our thumbs waiting for our banks, government organisations and other entities to register themselves on the DLT platforms, do keep an eye out for any suspicious activity on your accounts. As of now, even if there are large withdrawals from your bank accounts, you may not get any SMS notification from your bank.  

“DLT is new, so it may take some time for proper working. Whoever is operating DLT (for telecom firms) should have started a trial run with promotional SMS services first. Only after that, they should have implemented transactional services, because these services are important and one cannot afford to stop receiving crucial SMS-based services such as OTPs,” security researcher Rajshekhar Rajaharia told TechCircle.  

TRAI has reportedly suspended the implementation of TCCCP regulations for seven days to prevent further inconvenience to customers.

(The story has updated to include the latest TRAI decision.)

Edited by Rashmi Ramesh