An industry investigation revealed airtime theft on a mass scale from Vodacom’s prepaid customers, with fraudsters using a gateway developed by the mobile operator to bill victims.
The results of this investigation were provided to MyBroadband on the condition that the source remains anonymous because of the organisation’s relationship with Vodacom.
The investigation, which involved hundreds of thousands of SIM cards across all networks, showed fraudulent WASP billing on a large number of Vodacom prepaid SIMs.
What makes this investigation unique is that it included many SIMs used in IoT devices. It is impossible for these devices to subscribe to a WASP service via USSD or SMS.
Many of the SIMs which were targeted have been in the same IoT devices for many years, which eliminates the possibility of recurring billing a recycled number.
This therefore provides conclusive proof that airtime theft is occurring on Vodacom SIMs, bypassing the subscription and double opt-in requirements for WASP services.
One industry player told MyBroadband this investigation clearly shows the promise of strictly enforcing a fraud-proof “double-opt-in” system never materialised.
“That is why literally any random Vodacom SIM can still be subscribed to WASP services,” the industry player said.
Here is an example of a Vodacom prepaid SIM – used in a wireless machine-to-machine device since 2014 – which suddenly started to get billed for a “Vodacom Add To Bill” service.
How the airtime theft on Vodacom’s network happens
The majority of the airtime theft which was seen this year occurred using Vodacom’s own “Charge To Bill” gateway.
“Using Charge To Bill as a payment method allows for Vodacom customers to purchase premium content using their Vodacom account,” Vodacom said.
Vodacom’s Charge To Bill API enables content providers to subscribe users to their services and bill them for the content.
There is, however, a problem. According to the information provided to MyBroadband, the system allows rogue WASPs to fraudulently bill subscribers.
What makes the situation worse is that Vodacom allows WASPs which are not Wireless Application Service Providers’ Association (WASPA) members to bill Vodacom clients.
WASPA has a strict Code of Conduct which members must adhere to. Offenders face sanctions like fines or even suspension.
Fraudulent WASPs can, however, easily bypass the WASPA Code of Conduct and sanctions by using Vodacom’s Charge To Bill service.
WASPA GM Ilonka Badenhorst told MyBroadband they do not have jurisdiction over services where mobile operators do not require their partners to be members of the organisation.
She did, however, say that mobile operators ask WASPA to monitor the market and report findings on potential non-compliant activities.
MyBroadband has received information that there are so many fraudulent transactions that the Vodacom team handling this issue is “swamped”.
This is resulting in long turnaround times to suspend fraudulent WASPs. During this time, Vodacom subscribers’ airtime is stolen with impunity.
These rogue WASPs typically target prepaid SIMs, as WASP billing is not easily detected as there is no bill.
The majority of this airtime theft affects poorer segments of society which are not aware of rogue WASP billing.
Airtime theft has been happening for years
Rogue WASPs have been stealing airtime from South Africans for over a decade, and Vodacom is well aware of this problem.
What infuriates mobile subscribers and many mobile industry players is that it is easy to resolve this problem – block all WASP billing by default.
This gives mobile subscribers the power to say who can take money from their account, which is exactly how it should work.
Vodacom, however, stands to lose a lot of money if they implement this solution, and to date, this has not happened.
Telkom is the only large operator which blocks WASP billing by default on its network and therefore does not have this problem.
Instead, Vodacom is continually implementing new measures to limit fraudulent billing, but twelve years later, widespread airtime theft continues.
As soon as Vodacom implements a new measure to fight airtime theft, the fraudsters find a way to bypass it.
MyBroadband learned that many Vodacom executives are unhappy about the continued airtime theft which mostly affects their poorer subscribers.
To try to address the issue internally, however, causes conflict, as other executives are defending this revenue stream due to their bonuses depending on it.
MyBroadband asked Vodacom why it allows companies to fraudulently bill their subscribers and steal their airtime.
The operator said it rejects the allegation, in the strongest possible terms, that it is fraudulently targeting certain customers and that it allows fraudulent activity on its network.
“We will investigate any instance where a customer feels they are being overcharged. For this we need the customer’s MSISDN / mobile number,” it said.
Vodacom said it introduced and enabled content blocking on all M2M and IoT SIMs in December 2018.
“This prohibits content subscriptions and purchases such as WASP services, Direct Carrier Billing (DCB) and Vlive services on these SIMs as well as on M2M / IOT tariff plans,” it said.
The company added that it does not allow WASP billing without double opt-in.
“To the contrary, Vodacom has implemented double opt-in on all WASP services through a USSD NI mechanism,” the company said.
Commenting on why it does not block WASP billing by default and give users the choice to enable it if they want, Vodacom said it is not the industry standard.
“Similar services around the world, such as Apple iStore and Google Play, are active by default and provide customers with the convenience of paying for content services and subscriptions without having to continually re-enter credit card/payment details,” Vodacom said.
“Through the Vodacom payment platform, for example, customers can subscribe to the likes of Showmax, Deezer, and Office 365 in addition to hundreds of games, sport, and small business services.”
“For customers that prefer not to have or use credit cards, this means they can access and subscribe to services that they might otherwise not have access to.”
Vodacom said customers have access to a self-service control system that enables them to block their SIMs for all WASP and other content services. This is accessible via the *117# USSD string.