Security hole used to deduct money from random cell phones
I am writing to warn people about a shocking security hole that has allowed a local WASP to randomly deduct money from my cell phone account without my permission. What's worse is that these arrogant knuckleheads refuse to even admit there is a problem, in spite of the fact that R70 was deducted from my phone account in a single month, and I only discovered the problem when my airtime ran out.
What's worse is that even if you send a "STOP" message, the initial amount is still deducted because they "know" that "your" number requested premium content from their system, so why should they refund it?
Here's how it works: If you go to the following URL from your phone, and click on the sign up button, they will deduct R14 from your phone account every 3 days. That's around R140 per month for basically nothing. If you do the same thing from your PC browser, you get an error message.
http://mobilewap1.oit.co.za/?c=206
The reason for this is that the server gets your cell phone number behind your back without your permission. This is called the MSISDN number, and mobile phones on the GSM network seem to be happy to give out this information to any web site that knows how to ask.
What they are supposed to do, in terms of the WASPA code of conduct, is send a message to your phone asking you to confirm that you wish to subscribe. After all, R14 is not a trivial sum. They don't. They are so confident that they already "know" its your phone that they leave out this step. Now for the scary part:
Add in an extra bit from a PC browser and you can fool the server into believing it has already detected your MSISDN
http://mobilewap1.oit.co.za/?c=206&msisdn=27841942222
In this case the number is 084-194-2222 with the country code 27 at the front. Its a call centre for the company performing this ripoff. Of course you could also use their fax number (27.86.525.7845) and they'd be none the wiser.
Worse still, there is little or no number checking, so you can add random digits on the end to create multiple subscriptions on the same number. Also, landline numbers are not excluded, so a number like 27114613294 (which is out of service) can be used. I have no idea whether they can actually deduct money from land line numbers, but I wouldn't be surprised if they tried.
What happens next is that a page is displayed which allows you to subscribe this number to the "service", or if it has already been subscribed, you can view the "goods" on offer, in this case a few crappy GIF files that no one in their right mind would pay R14 for. Such are the joys of the mobile phone industry.
Even more disturbing is that the SMS message that would allow the subscriber to "STOP" the subscription (after the R14 is already deducted) is sent to an out of order land line, making it difficult to unsubscribe, or even be aware of the subscription in the first place.
Doing this kind of thing from a PC browser would lead them to discover your IP address and send you nasty letters, so don't do it! However, I also happened to stumble upon the Opera Mini browser, at
http://www.opera.com/mobile/demo/
This obscures your IP address and allows you to see how the phone would behave.
So now a hacker could type in the URL into the mobile demo, make up a cell phone or land line number, and subscribe that unsuspecting person to a "service" that costs R14 every 3 days until stopped. You could do it to your boss, or your husband's mistress, or anyone else you don't like. Or your could use it to rob some poor pay-as-you-go subscriber from his/her precious airtime that he/she can barely afford in the first place. Did I mention the "service provider" are a UK company with a post box in Hong Kong?
The "206" part of the URL is the one that caught me, but there are plenty of other valid numbers that work as well. All I can say is that most of the screen backgrounds and "videos" are pathetic, and certainly not worth the money.
Not only is this totally wrong and unfair, but it clearly goes against what the WASPA Code of Conduct requires. I have complained to WASPA and the UK bunch have tried to discredit me and say that I'm a liar, and that there is nothing wrong with their method or their system. I can only hope that by bringing it to the attention of the wider IT community we can pressure the company to mend their ways and fix their system.
The UK company is Morvec, offering a service called "Go Go Mobile". The local billing company is Opera Interactive and/or OxyGen8. This saga has been going on since the end of May and I'm now gatvol.
Reply With Quote
Originally Posted by fonoi
They have kept their side of the deal and I'm happy to keep mine, which was an undertaking not to write any more blog articles about them. Fortunately I haven't needed to. 
Now I discover that anyone with a browser can subscribe anyone else to one of these "premium content" (pardon me while I throw up) services, and the only thing the consumer can do in self-defence is to unsubscribe! That's assuming they actually get the SMS telling them they have been subscribed. In my case there were no "welcome" messages at all - I discovered I had been billed when my airtime ran out.
Bookmarks