MyBroadband recently conducted a test to determine whether “disappearing airtime” was prevalent on South Africa’s mobile networks.
During the test, we found that airtime on our MTN SIM was being deducted due to a WASP subscription which we were fraudulently subscribed to.
The SIM was subscribed to the MTN content service while the device was off and we did not receive any confirmation or double opt-in SMS prompt.
MTN confirmed that the subscription was fraudulent, adding that it was the product of malicious bots which subscribed customers to MTN’s content services.
“These bots mimic the behaviour of customers and have the ability to approve opt in and double opt in through web/WAP,” MTN said.
MyBroadband asked MTN for the subscription request logs and for more information regarding the nature of the attack.
MTN said the attack was conducted using MSISDN spoofing and header enrichment.
The mobile operator said the MSISDN of our MTN SIM was captured in website headers, and subsequently injected by a bot into subscription request headers.
“The MSISDN was captured in website headers and that’s where a bot used header enrichment to spoof the MSISDN and in the process injected the MSISDN at random,” MTN said.
The subscription logs contained a number of data fields, including the origin of the request which MTN identified as Olimob.
“The traffic for this subscription has originated from an affiliate called Olimob. MTN only receives publisher ID and are therefore dependent on the ad network,” it said.
The logs sent by MTN to MyBroadband were consistent with MSISDN spoofing via header enrichment, as the “device_user_agent” field did not contain any value.
This field usually contains an identifier for the type of device or browser the request originated from.
MyBroadband therefore asked MTN why a subscription request without any information in this data field was not flagged as suspicious by its fraud detection system.
MTN SA executive for corporate affairs Jacqui O’Sullivan said that all requests go through fraud detection to identify spoofing.
“We also check headers from the network and IP address to ensure the user is on MTN and no other network,” she said.
Responding to questions regarding why the empty “device_user_agent” field was not flagged, O’Sullivan said this field is only recorded in some cases.
“When traffic is sent through Opera Browser, the user-agent field comes through as Opera and not the actual device, therefore, only for Opera traffic will device-user-agent and user-agent be recorded,” she said.
“For MTN traffic hitting Mobi Media’s programmatic banners and pages, Mobi Media are guaranteed that the MSISDN is MTN from the header and IP, thus they did not update the database as that is a new field that Mobi Media have for other global operators where they need to record the operator.”
Despite these filtering and fraud detection systems, our MTN SIM was still fraudulently subscribed to a WASP – and our artime stolen.
MTN said it is in the process of overhauling its security and customer protection systems.