This post basically covers how to bypass OTP and the risks that concern it, especially in the wake of codes coming from personal mobile numbers. Now let’s first begin with what OTP actually means.
OTP stands for One Time Passcode/Password. It is a mechanism where users receive SMS on their mobile phones for login, id verification, registration, and many other services. The user receives such SMS mainly from digital wallets, banking apps, Facebook, Gmail, and other services.
OTP contains a sequence of numbers that is issued to a user only for a set amount of session usage. Once the user enters the code for the desired service, be it an app, or another service, the company verifies that the user has implemented it and keeps the record.
At that same time, it also helps companies identify the users, and customers and protect their privacy. OTP is an integral part of a two-factor authentication security protocol.
As the companies send their OTPs only to the provided mobile number, it is considered the best verification method these days.
For 2FA usage
OTPs are increasingly used for Two-Factor Authentication (2FA), protocols. The company sends an OTP in the form of an SMS to the user who requests the service. Such services include but are not subjected to e-banking, digital wallet registration, authentication, payments, Facebook service, Gmail services, changing passwords, and so on and so forth.
Simply, OTP is a one-time use code, when the recipient enters the code, usually 6 or 4 digits, they can proceed to creating, authenticating, paying or any other service that they require.
Since all phones nowadays come with SMS (text message) capability, it is really simple and user-friendly. The code sent by the company is for the specific user only.
As time goes on, such codes have become a good revenue generator and are also common in use. Hackers have also made it their target. Apparently, there are many cases where people have noticed an “OTP bypass” scenario. Mobile users lately have received such codes from mobile phone numbers.
Rising cases of OTP coming from personal mobile numbers in Nepal.
Rising cases of OTP coming from personal mobile numbers in Nepal
Recently, OTPs have also come under breach. The codes are valid for a user only and sent by the service providers. But recently, users have noticed an unusual text from mobile phone numbers putting their privacy at risk from hackers.
A representative image showing an interface asking a mobile phone user to enter the OTP
This has led to many questions regarding the safety of the users who have received such codes from personal numbers. Some are receiving the OTPs from Nepali mobile phone numbers which should be coming from the company’s own shortcodes, and their name.
Mobile users have received OTPs from personal numbers such as 9829628***, 9825599***, and 98255999***, Gorkhapatra has reported. Sources also fear that these numbers might have multiplied in recent weeks.
“Hackers” evade the operators and bypass the OTPs towards mobile users. Legitimately, such codes from through international gateways to Nepali mobile phone users sent from service providers.
Effect of OTP bypass: security concerns
Users’ sensitive data may be at risk if OTPs come from personal phone numbers. Bypassing SMS allows users to obtain OTP, which compromises user data. Additionally, in such a scenario, the code sender (a service provider) is unable to confirm whether the destination number has actually received the code.
Because those who circumvent SMS will have access to OTP, there is always a chance that the user’s privacy may be exposed, according to cybersecurity expert Bijay Limbu. Even the sender in this case is unable to verify that the OTP was successfully delivered to the intended mobile number.
Limbu remembers that he logged into Gmail after receiving an OTP from Nepal’s mobile number some time ago. There’s a good chance that many users have seen this firsthand.
Loss of revenues
When OTPs are disregarded, service providers not only lose their customers but also their income. Shobhan Adhikari, a spokesperson for the NTC, states: “It is a severe case. In addition to privacy violations, it puts the company’s OTP earnings in danger.
However, Adhikari has ruled out the likelihood that the business’ mobile number is being used for OTPs. He added that the operator quickly started “filtering” after becoming aware of an increase in OTP bypass situations to prevent the usage of the business’s numbers for code diverting.
OTP codes are a reliable way to increase operator income. Since businesses began utilizing them for security, their economic prospects have improved.
According to estimations, OTP services alone bring in around 20 crores for Nepali operators. However, the finances may suffer from the rise in OTPs that are being diverted. The regulator has increased up attempts to restrict SMS bypass used to redirect OTPs, according to Bijay Roy, director of the NTA.
He continues by saying that the regulator will investigate numbers that send an abnormally high volume of SMS messages using the same number. Such numbers will be blocked if found to be so.
How do OTPs get bypassed?
OTP, also known as an A2P, often passes from an application to a person (application to person). The ‘carriers’ that connect the SMS sent from the international application to the telecom service providers in the relevant nations happen simultaneously.
Carries make a deal with service providers at this point to provide SMS to users coming through the application. The costs for providing such a service are greater than the standard SMS price. However, this can be avoided between the carrier and the service provider. Although the methods for bypassing calls and SMS are similar, calls are easier for hackers to grasp than SMS. Due to this, SMS and OTP circumvent.
How to stay safe from ‘illegitimate OTPs?
The issue of user data and privacy is brought up when instances of OTP bypass become increasingly obvious. Therefore, it is essential that we remain vigilant. What can we do, however, to stop data breaches caused by unauthorized OTPs accessing our phones and taking our information?
We can begin by simply deleting those communications. If you do get an OTP from a personal phone number, make a note of it and tell your operator. You can also let NTA know by contacting them. You should block the number and try again if anything changes for you in the future.
The most important thing to remember is never to enter such numbers to access any services. These phone lines might also be remotely utilized to send you clickbait requesting your social media or banking passwords. Your initial course of action should be to immediately block them.
Have you recently got an OTP from a private phone number? You are welcome to discuss any other inconvenient encounters you had with the shortcodes with us. Please share them in the comments section.