MyBroadband recently published an article based on information from a prominent industry player who alleged a security flaw in MTN’s network which allows rogue WASPs to “secretly” subscribe users to content services and steal their airtime.
The industry source, who asked to remain anonymous, told MyBroadband this weakness showed that MTN is not adequately protecting its subscribers against rogue WASPs.
He said the flaw may look like a system bug, but it is more likely a proactive measure by rogue WASPs and potentially MTN employees to commit fraud.
Two of the main issues raised by the industry source are:
- There is a fake “subscription problem” message, despite the fact that a person is subscribed to the service.
- There is no welcome SMS when a person is subscribed to some WASP services.
A live demonstration, embedded below, shows the subscription process and the fact that no welcome SMS was sent to the MTN subscriber.
MTN disputes the demonstration
MTN disputed these claims, saying the video does not represent a real-world scenario and that no airtime theft took place.
MTN SA’s executive for corporate affairs, Jacqui O’Sullivan provided a comprehensive description of their concerns, outlined in the statement below.
Following the publication of your article “MTN security flaw allows ‘secret’ airtime theft – Industry insider” of 3 September 2020, MTN launched and has now completed a full investigation of this incident. Our investigation has revealed some significant concerns as to the accuracy of the article which we believe to be as a consequence of the information you were provided.
We consider these claims in a very serious light and we have been detailed in our analysis of the claims. From the outset we have concerns with several anomalies in how the platform was used to secure the intended result:
- The journey demonstrated in the article shows the user copying and pasting a previously generated unique MTN Double Opt-In (DOI) URL address of our Confirmation page, rather than clicking on a banner or being directed to the landing page which we know to be the behaviour we would expect from consumers. This is a manipulation of the process and offers no evidence of the Content Partner in question, actually designing their journeys in this way.
- The video shows the user clicking on the “Confirm” button on the DOI page in order to confirm their subscription. This URL is the “Confirm” page which is rendered after a customer has clicked the “Subscribe” button during the first URL page of the journey. The video shows an error in the creation of the subscription although after another attempt the subscription succeeds, which is the intent of the confirmation step. To this end, the user is confirming their subscription, and this then appears on the *155# USSD menu while the activation of the subscription is pending.
- However, the subscription was never actually successfully activated and as a result a confirmation SMS was never sent, and the transaction was never billed. This happened because the suspicious transaction was blocked by our fraud protection systems. The SMS is only sent once the subscription is successfully activated.
Furthermore, we have found that this demonstration was conducted on a test link and ultimately this means that the subscription was never activated and therefore the MSISDN would not have been billed. Our findings are clear that there was no security breach on MTN’s part and further that no fraud occurred in this instance.
You will recall that in May 2018 MTN launched a consumer-focused Treating Customers Fairly policy across all its operations in continued efforts to protect customers and ensure fairness for those interacting with its Digital Services.
The policy required that all MTN Digital Content providers, including WASPs, had to implement stringent business rules on all services offered to MTN customers. Today, these rules have been implemented at MTN to ensure all content providers are compliant. Furthermore, MTN has conducted in-depth checks and ensured that all its technology partners and other stakeholders adhere and comply with the Consumer Protection Act. The implementation of these rules is subject to an annual audit to ensure that compliance continues to be maintained.
Once a subscription is activated, a welcome SMS is sent to customers advising them of the service they have subscribed to, the cost of the service, the frequency of charging, our call centre number to dial and the *155# USSD code which can be used to cancel services at any time. A significant proportion of our services offers the 1st day free which allows a customer to test the service within the first 24 hours. Should they cancel within 24 hours they will not get charged at all. While the subscription is in a pending state, our software also does additional checks for suspicious transactions and proactively cancels these transactions if it picks up any shortcomings. We do this to ensure that any breaches by malware and bots does not result in charges to our customers. We also send a weekly SMS to customers, for each daily service, alerting them to the fact that they are subscribed to a services(s), including the price of the service and including a link to unsubscribe which is mainly *155#;
Additional prevention measures taken by MTN include:
- Implementation of the ICASA Premium Rated Services spend limit where customers may set limits on their airtime account to be spent on Premium-rated services (IVR, USSD and SMS), App Stores (currently Google Play Store) and Entertainment (all Content services. We did this although this initiative was not prescribed by ICASA. A customer can dial *155# to change these limits.
- Implementation of the ICASA Premium Rated Services blocking functionality that blocks all charges requested by Premium-Rated Services and Entertainment Content services. A customer can dial *155# to set their limits to zero and ensure that they cannot be charged for content services.
- Implementation of “Double opt-in” across all services to increase subscription security and ensure that customers take greater control of their Entertainment spend.
- Clear and simplified user journeys and short codes to easily unsubscribe from any content services. One string, namely *155#, to manage all content. Alternatively, a customer can use the MTN App, go to “more” and see “subscriptions” for services that they are subscribed to.
- Implementation of Web fraud protection on all WASP and Content Partner services to block bots, malware and suspicious traffic which attempt to fraudulently auto-subscribe our customers.
- Blocking and optimizing affiliate partner traffic directed to MTN content and rich media service banner ads.
While we have taken all these actions to improve the entire ecosystem around our WASP services, we accept that nothing is infallible. We are committed to doing everything within our power to protect our customers and, if there are weaknesses that we are not aware of, these must be brought to our attention. Should industry players not feel comfortable dealing directly with an operator such as MTN, the Wireless Application Service Providers’ Association (WASPA) exists to regulate this space and is always open to input. If there is a sense that coming directly to MTN is not producing the desired results, that too needs to be escalated to myself, or to our Chief Digital Officer or our MTN SA CEO.
We will not tolerate any abuse of our customers and MTN calls on any person who believes concerns are not being addressed to urgently to bring it to our attention through myself ([email protected]) or through our Chief Digital Officer ([email protected]).
While we understand this request may attract some negative publicity for MTN SA, our reputation is worth nothing, if genuine concerns are being overlooked or worse still, ignored. We welcome any industry or customer feedback on our WASP business, and we reiterate our commitment to always acting in the best interest of our customers.
Following MTN’s statement to MyBroadband, we decided to investigate the WASP subscription process to see if we could reproduce the problem.
To remove potential issues with clickjacking, MyBroadband used MTN’s USSD menu to test WASP subscriptions.
MyBroadband investigated various scenarios, including stopping halfway through a subscription, cancelling a subscription, and receiving an error message during a subscription.
In all these cases the results were the same – MTN’s system showed that the number was subscribed to the WASP service.
In none of these cases was there a welcome SMS, which is what the original complaint from the industry player was about.
There was, however, a strange anomaly. In each of these cases, no money was deducted from the account.
While it is not clear whether these subscriptions may be actioned in future, it seems that MTN’s system shows active subscriptions without deducting money from the account.
With widespread WASP subscription fraud affecting thousands of MTN subscribers over the last decade, the problem should concern the mobile operator.
When MyBroadband asked MTN about this issue, the company said it is not a bug but rather a pro-active decision.
“MTN made a decision to display pending subscriptions so that customers who were interrupted could find their pending subscriptions and activate them,” MTN said.
“We agree that this can cause confusion for customers and we are in the process of changing this so that only active subscriptions are displayed.”
MyBroadband pointed out that this does not only happen with pending subscriptions but also cancelled subscriptions.
MTN said they misunderstood the query, but to date did not explain why cancelled subscriptions are shown as active by their system.
The videos below show the results of the investigation into WASP subscriptions using MTN’s USSD menu.