In this post, we will delve into the meaning of OTP bypass, and the rising concerns with it especially, in the wake of codes coming from personal mobile numbers. Let’s first begin with what is an OTP.
OTP stands for One Time Passcode/Password. It is a type of SMS that a mobile user receives for login, id verification, registration, and other services. You receive such SMS from digital wallets, banking apps, Gmail, Facebook, and other services.
An OTP contains a sequence of numbers that is issued to one user only for a particular session of usage. Once the user enters the code for the desired service, be it an app, or something else, the company verifies that the user has executed it and keeps the record.
At the same time, it also helps companies identify the users, and customers, and protect their privacy. OTP is an integral part of a two-factor authentication security protocol.
As companies send their OTPs only to the provided mobile number, it is considered the best verification method these days.
For 2FA usage
OTPs are increasingly used these days for Two-Factor Authentication (2FA) protocoals. In this method, a company sends an OTP in the form of an SMS to a user who requests to use a service. Such services can range from e-banking, digital wallet registration, authentication, payment, Facebook, Gmail login, changing passwords, etc.
An OTP is a one-time use code only. So, when the recipient enters the code, usually 6 digits, they can proceed to creating, authenticating, paying, or any other service they want.
Since phones come with SMS (text message) capability, it is very user-friendly and safe. The company sends the code directly to a user for one user only.
But over time, such codes have become a good revenue generator and as it is so common in use, hackers have also made it their target. Apparently, there are many instances where people have noticed an ‘OTP bypass’ scenario. Mobile users lately have received such codes from mobile phone numbers.
Rising cases of OTP coming from personal mobile numbers in Nepal
In a recent series of events, OTPs have also come under breach. The codes are valid for one use only and sent by service providers such as Digital Wallets, Gmail, Facebook, etc. But recently, users have noticed them coming from mobile phone numbers putting their privacy at substantial risk from hackers.
This has led to many questions regarding the safety of the users who have received such codes from personal numbers. Some are receiving the OTPs from Nepali mobile phone numbers which should be coming from the company’s own shortcodes, and their name.
Mobile users have received OTPs from personal numbers such as 9829628492, 9825599068, and 98255999747, Gorkhapatra has reported. Sources also fear that these numbers might have multiplied in recent weeks.
“Hackers” evade the operators and bypass the OTPs towards mobile users. Legitimately, such codes from through international gateways to Nepali mobile phone users sent from service providers.
Effect of OTP bypass: security concerns
If OTPs arrive from personal phone numbers, it potentially puts users’ private data at risk. Those who bypass SMS gain access to OTP compromising user data. Besides, the code sender (a service provider) in such a condition can’t ensure if a target number has received the code either.
“There is always a risk that the user’s privacy will be compromised as those who bypass SMS will have access to OTP,” Cybersecurity expert Bijay Limbu says. In such a scenario, even the sender can’t be certain that the target mobile number has received the OTP.
A while ago, Limbu recalls that when he logged in to Gmail, after receiving OTP from Nepal’s mobile number. It is likely possible that many users have witnessed this first-hand.
Loss of revenues
In addition to user data theft, service providers also lose their revenues when OTPs are bypassed. NTC spokesperson Shobhan Adhikari says, “It is a serious case. Besides privacy breaches, it also poses risk to the company’s earnings through OTPs.
Adhikari has, however, dismissed any possibility of the company’s mobile number being in use for OTPs. He also shared that after learning of increasing cases of OTP bypassing, the operator soon began ‘filtering’ to avoid the company’s numbers being misused for diverting the codes.
OTP code is a good source of adding more operators’ revenues. Its economic prospect has grown after companies started using them for security purposes.
There are estimates that Nepali operators earn over 20 crores from OTP services alone. But the growing number of diverting OTPs could hurt the finances. Bijay Roy NTA Director has said the regulator has stepped up efforts to control SMS bypass executed to divert OTPs. Another for you: How to enable advanced messaging service (RCS)?
He adds that the regulator will check on numbers that send excessively high numbers of SMS through the same number. If found so, such numbers will be blocked.
How do OTPs get bypassed?
OTP usually passes from an application to an individual, also known as an A2P (application to person). At the same time, the ‘carriers’ between the SMS received from the international application reach the telecom service providers of the respective countries.
At this, carries sign agreement with service providers to deliver SMS arriving from application to users. The expenses for such a service delivery are higher than the usual SMS fee. But this can be bypassed in the middle from the carrier to the service provider. The method of call and SMS bypass is similar, however, the hackers can understand SMS more easily than calls. For this reason, SMS or OTP bypass
How to stay safe from ‘illegitimate OTPs?’
As cases of OTP bypass become more conspicuous, the question of user data and privacy is raised. So, it is imperative that we keep ourselves alert. But what can we do to avoid breaches from unauthorized OTPs arriving on our phones and stealing our data?
First, we can start with just discarding those messages. If you do receive OTP from a personal number, note the number and relate it to your operator. You can also contact NTA to inform them. For your future assurances, you should block the number and try again if something changes for you.
Most importantly, never enter those numbers to gain access to any services. Those numbers may be used remotely to send you clickbait for your banking or social media passwords too. Blocking them right away should be your first response.
Have you received an OTP from a personal phone number recently? You can share with us other inconvenient experiences you had with the shortcodes. Do let them below in the comments.
- Redmi Note 11 Pro 4G is getting the HyperOS upgrade: Find other rollout plan
- OnePlus 12 Pre-booking starts in Nepal: Find Specs and Price
- Apple iOS 17.4 beta 4 launched with a vital battery feature
- India finally allows Nepali visitors to get Indian SIM cards
- Government to implement investigation report on Axiata deal
- Samsung Galaxy A15 5G launched in Nepal | Price and Specs
- Bhupendra Bhandari appointed new NTA chairman for 5 years