Raman is a middle-aged man working for a private company in Indore. He is moderately educated and has a wife and 2 kids.
Raman sat on his balcony, enjoying a steaming cup of tea while eagerly awaiting the delivery of a laptop he'd ordered for his son. Suddenly, his phone rang, displaying an unfamiliar number. The caller claimed to be a delivery person and requested an OTP for the delivery process. Remembering that the platform now required an OTP during delivery, Raman assumed this was legitimate. Consequently, while on the call, he quickly glanced at the new notification highlighting the OTP in an SMS and shared the code without reading the entire message. Immediately after sharing the OTP and ending the call, a distressing SMS arrived, notifying him of a deduction of INR 40,000 from his bank account. It dawned on him that the call had been a fraudulent attempt, with the scammer posing as a delivery person to trick him into authorizing a financial transaction rather than confirming the delivery.
In this first edition of a two-part newsletter, I write about what is the cause of the increasing number of frauds taking place via smartphones.
Not-so-smart, smartphone users
The rise of smartphones and internet users has been phenomenal in India. But unlike any other country in the West, India poses unique challenges and opportunities. See, this rise in smartphone and internet users in the second half of the last decade came from tapping into the customers who were from non-urban India. This increasing adoption of smartphones and the internet was further driven by:
Cheap smartphones (Xiaomi, Oppo etc.)
Launch of Jio
Increased per capita GDP
Digital government services like UPI, Aarogya Setu etc
As the number of smartphone users increased there was also an increase in the number of startups which wanted to offer services online, from shopping to booking a cab everything went online.
One unique problem is, that many of these smartphone and internet users are using technology for the very first time (Unlike in Western countries (or urban India), where people used desktop computers along with an internet connection before moving to smartphones). We need to understand the fundamental characteristics of these new smartphone users.
This presented a complex case, as a large set of users who are not so educated and are not comfortable using technology are using technology for everything.
All hail the saviour! OTP
As more and more Indians came online, there was also a need to strengthen the security of the online process. For this, OTPs were introduced.
OTPs provide a 2-factor authentication level security to our accounts, a 4 to 8-digit code which is unique and lasts for just a few minutes.
I first came across OTP, while using my father’s debit card for online purchases. Since then OTPs have become a crucial part of my online identity verification process. This case is not just mine but for every smartphone user in India, right from signing up for an app to booking a cab to payments, OTPs are everywhere. And since in India people are more familiar with mobile phones thus, SMS became the default mode for delivery of these OTPs.
The different use cases of these 4-8 digit code are given below:
Payments
RBI issued a mandate in 2011, asking customers to punch in an extra code, a one-time password (OTP), to authenticate their identity and complete all mobile banking transactions. Post this there has been an addition of this step in almost every payment process apart from UPI.
Identity
Around the same time, the identity stack (read Aadhar) was also launched, where the identity of individuals was linked to a 12-digit number along with their photograph and six demographic fields including name, age, address, mobile number, email address, and gender. The identity stack was built even further by introducing eKYC, eSign etc.
eKYC is described as “A petitioner collects consent (via biometric of two-factor OTP authentication) from a user and submits their Aadhaar number to the UIDAI system. The system then returns the user’s entire KYC data including all six demographic fields and the user’s photograph.”
eSign is a digital signature product built atop Aadhaar. It allows any Aadhaar holder to produce legally valid digital signatures on any document through a one-time password sent to the signer’s Aadhaar-linked mobile number.
Authentication
Not only this, as more and more startups started targeting first-time internet/smartphone users, instead of asking for email they primarily asked users for their phone numbers. This was a brilliant product decision taken.
Since Bharat users were not familiar with email and thus verifying users via OTP on your contact number made the process frictionless for consumers.
Many startups in India are sales-led and rely on TeleSales, thus obtaining the contact number of customers was very important for them.
Verification of customer
Another use case which emerged for OTPs is for companies which have a hybrid mode of operations, i.e., they need to interact with their customers both online and offline. Thus, verification of customer OTPs is the one you need to share with the service provider to verify that you've booked their service online. (E.g. - You booked a cab via Ola, and the driver arrives at your location, but before you start your ride the driver needs an OTP from you to verify that it’s you who booked the ride).
Guess which OTP am I?
Here comes the interesting part, you get a 4-8 digit code on your phone and it holds the power to verify your identity, transfer your funds, give consent for digital signature of documents, get you a cab, get your parcels delivered and whatnot. Yet, they all look the same, especially for someone who is not tech-savvy.
Not just this, you’re told that you are never required to share OTP, but when you go to a govt. office and there you’re required to share an OTP to verify your identity, you’re also required to share an OTP before getting a ride, getting high-value items delivered etc. This leaves a normal consumer confused, as to when should they share the OTP and when to not.
Here come, Scammers!
All of this becomes very confusing for a normal consumer, and this is where the scammers come in. They leverage the complex nature of OTP and use social engineering techniques to manipulate the not so tech savvy users.
These scams are not just limited to rural or uneducated, you must have seen many other people around you including policemen, and govt officials falling prey to such scams.
One of the very famous ways of scamming is where the scammers pretend to be bank employees and ask for sensitive details in the name of KYC, the customers in fear of their account getting frozen, share these details. After getting the details scammers initiate a transaction and then ask for OTP to complete the process, this OTP acts as the final nail in the coffin and wipes out funds from the customer’s account.
According to The Ken, such scams account for around 70% of fraudulent banking transfers worth around Rs 900 cr per annum.
More than 70% of fraudulent banking transfers in India are KYC-linked scams. A senior official at the Financial Intelligence Unit, a national agency responsible for analysing data on suspect financial transactions informed The Ken that KYC frauds amount to over Rs 900 crore ($108 million) per year.
If you want to understand more about how these scammers operate and steal money from people’s accounts, read this article by Medianama.
The solution we are given
Once these scams started, the government and companies launched several initiatives to educate users about OTPs. All these campaigns and initiatives have only one thing in focus “Never share your OTP with anyone”.
The solution is the problem
The advice of "Never share your OTP with anyone" is often impractical because there are situations where sharing your OTP is necessary. (Refer to the infographic above) This is precisely why scammers posing as bank officials or delivery personnel can successfully trick people into divulging their OTP. Because it's hard for folks to know when to share it and when not to.
Thus, I think with the increasing use cases of OTP, we need to educate people about the different use cases.
In the next part of this newsletter, I’ll put on my PM hat and try to figure out, how we can try to solve this problem with the help of existing products.
If you are still reading this, thank you so much. Nothing gives me more joy than providing value to others. Please feel free to write your views on this topic in the comments below.
You can also write a mail to me at rajnishkush2@gmail.com if you want to discuss anything ranging from politics to products and everything in between.
Or, if you’re in KGP, let’s catch up at Chedis.
loved the meme and the write up of course!
Great Title.