TRAI tried to put an end to SMS spam. Then the OTPs stopped coming through

India’s digital ecosystem came to a standstill this week, and you probably didn’t even know that till it was too late. The reason? No OTP messages getting delivered. Basically, the One Time Passwords (or OTP) that you get for two-factor authentication while making online payments stopped coming through. Because of this, people were unable to shop online, pay for their Zomato/ Swiggy order, or even transfer money. Granted, for basic messaging these days you rely on social media apps, but when it comes to crucial banking activities, the good ol’ OTP messages remain your only option.

So what triggered this cataclysmic incident? As you might have read earlier this week, the functioning of banks and e-commerce firms was hit as telecom service providers (TSPs) were changing the mechanism of how an SMS is delivered to your inbox. This behind-the-scenes activity was part of an effort to make sure you stop getting spam SMSes and promotional messages that come attached with the threat of malware, which can infect your device.

Where it all began

It all started a few years back, when the Telecom Regulatory Authority of India (TRAI) wanted to find a solution for the SMS spam. The best way out, according to the powers that be, was deploying technology at the backend with the help of blockchain. Telcos were ordered to implement the new Distributed Ledger Technology (DLT) process that allowed them to iron out the deficiencies of the system.

“To curb the menace of Unsolicited Commercial Communication (UCC) or SMS spam, TRAI issued the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR, 2018″) on 19th July, 2018, which put in place a framework for controlling UCC. The regulations entirely came into force w.e.f. February 2019. Since, then TRAI has been through Telecom Service Providers (TSP) and communicated with the Principal Entities to fulfil the regulatory requirements,” TRAI shared the details through a statement this week.

How does it work?

With DLT, telcos will be able to cross-check the content of the SMS before it gets delivered to the mobile user. This process is known as scrubbing. The details of this change were not shared with the public. So, obviously, when things didn’t go as planned, millions of mobile users were left puzzled by this sudden development.

In all likelihood, telcos thought the implementation will be a breeze: the registry will be accounted for and nobody will realise the changes that took place in the background. And while the system does sound fool-proof, the moment DLT was deployed, things went awry very quickly.

What happened?

Ideally, the likes of Airtel and Vodafone were supposed to register all major services for the SMS system. This basically involved registration of service’s message header and template with telecom operators. But the blame-game suggests telcos did not implement it correctly. This meant telcos ended up blocking all SMS messages that were unverified from their end. And this failure has a double-down effect on the roll out of OTP messages that are used for two-factor authentication of online activities and payments.

The real reason behind the issue that caused this major malfunctioning is still unclear. But eventually, it was the consumers who had to bear the consequence of such action, or lack thereof. Spam has become a digital nuisance, and TRAI has tried many ways to curtail its spread. But the large number of users relying on mobile and the internet has worked in favour of the spammers. Invariably, such messages became hard to intercept, because the headers were not verified. This resulted in people losing money by accessing messages with evil intent.

What now?

Understandably, TRAI had to intervene and take matters into own hands. First, it asked the telcos to pause the system implementation so that people can start getting important OTP messages once again. But the telecom body has made sure the temporary pause is utilised to find the problem at the backend and make the necessary tweaks to make this exercise a success.

In addition to this, service operators using telecom channels to send promotional messages have three days to comply with the new TRAI norms. Failing this, the names of the defaulters will be displayed on its website. And if they still do not adhere to the regulations, they would be barred from sending bulk SMSs.

The intentions of TRAI seem to be straightforward and the need to cut down the volume of spam in circulation is a well documented story. And with India looking to rely on digital services to build its future products, it is paramount that defaulters at all levels are reprimanded and asked to change the way business works in their world. We are hoping the pause will allow telcos and services to work in tandem and give us a glitch-free and safe mechanism that can be relied upon.