Your WhatsApp OTP flow is a donation to Telkomsel

Last month, a local client at Kilau Berlian asked me why their verification bill spiked to 45 million Rupiah in a single week. They only had a few thousand active users. When I dug into the logs, I found a basic botnet triggering OTPs, failing the WhatsApp delivery, and forcing our system to silently fall back to carrier SMS. You are essentially subsidizing the telcos. Every failed WhatsApp message that silently cascades into a carrier SMS is a Rp 500 donation straight to Telkomsel or XL Axiata, paid directly out of your runway. ## The auto-fallback loop is a financial trap Most devs set up their auth flow to send a WhatsApp OTP, wait fifteen seconds, and automatically trigger an SMS if the API doesn't return a delivered status. They think this makes the login process seamless for the user. What actually happens is that Indonesian mobile connections are patchy. A user sitting in a Gojek ride loses signal for ten seconds, the WhatsApp message queues, your server panics, and it immediately fires a premium SMS. By the time the user gets signal back, they receive both, and you get billed for both. Stop automating the fallback. Make the user physically click a "Send via SMS" button, and only show that button after a strict 60-second cooldown timer has expired. ## IP rate limiting does not stop Indonesian botnets When I was building Deadsec, I realized how easy it is for attackers to rent cheap proxy networks in Indonesia. Most junior devs think a basic rate-limiting middleware on their Express server will save them. It won't. Spammers rotate through thousands of residential Telkomsel and Indosat IP addresses. Your server sees unique IPs, but the target phone numbers are often sequential or targeting the same small group of users. You must rate-limit by the destination phone number and the device fingerprint. If a single phone number requests more than three OTPs in an hour, block it completely, no matter how many different IPs the requests came from. ## Run your OTPs through a local gateway At Flowcast, we built custom routing rules because global providers like Twilio charge a heavy premium for routing to Indonesian carriers. If you are using US-based API gateways for domestic Indonesian users, you are burning money on currency conversion and global transit fees. Local aggregators have direct pipelines to the local telcos. They route messages faster and charge significantly less per hit. Also, consider using WhatsApp Interactive Buttons instead of text codes. Having the user click a button that sends a pre-filled message back to your business account is cheaper than sending an outbound template message, and it cannot be easily automated by basic API spam bots. Go to your login codebase tonight and change the OTP resend cooldown from 15 seconds to 60 seconds. Delete the line of code that automatically triggers an SMS when WhatsApp fails, and force the user to request it manually.