Cellular28.06.2024

Telkom security flaw allowed dodgy R3 per day subscriptions

A security vulnerability in Telkom’s systems allowed wireless application service providers (WASPs) to subscribe users to premium content services and make it look legitimate.

These premium content services typically bill subscribers daily, deducting amounts from airtime or adding them to contract customers’ bills.

The issue was discovered last year when MyBroadband reader Brandon Hardy was subscribed to a WASP while randomly browsing, causing him to investigate what was happening.

Hardy discovered that the attackers buy advertising space on websites that provide access to pirated content and other taboos. The ads run code targeting South African IP addresses.

Once it detects a Telkom subscriber, it secretly loads a Telkom URL in the background that subscribes them to these scam content providers.

The Telkom URL looks like it’s part of the network operator’s WASP double opt-in system application programming interface (API).

Because the Telkom URL was susceptible to cross-site scripting, an attacker could run their own code in the background that subscribes WASPs without any user interaction.

“It looks like a valid subscription since it was done using the user’s device, and there are logs to back it up, so they get away with it,” Hardy said.

Rogue WASPs have been a massive headache for South African cellular subscribers for more than a decade.

Despite stealing billions from unsuspecting victims over the years, none of the perpetrators have faced fraud charges and not a single arrest has been made.

Although the industry has self-regulated by establishing the Wireless Application Service Providers’ Association (WASPA), bad actors could simply choose not to become members and subject themselves to its code of conduct.

These dodgy players were allowed to act with impunity for years, even as mobile operators implemented systems to curb the fraud.

While cellular operators played cat-and-mouse with rogue WASPs, they steadfastly refused to block WASP billing by default, which would have shut the problem down at the source.

Telkom’s mobile operator used to be a shining beacon in this regard — completely disallowing premium content services on its network.

Unfortunately, it walked back this pro-consumer decision several years after its initial launch in 2010.

Hardy, who is from the United States and worked with carrier billing in the late 2000s, said he was surprised South Africa still allowed these services on its networks.

“We had similar problems in the US over a decade ago, and these scammers have all been shut down largely,” he said.

WASP Header

Example of a legitimate WASP subscription menu

Hardy reported the issue to WASPA, but the industry association closed his complaint, citing a lack of jurisdiction.

MyBroadband looked into the WASP in question, as the SMS notifications users received about the fraudulent subscriptions made it seem like Telkom was complicit.

For example, one read: “You subscribed to FaithFirstTV – R3.00/day. Visit tklm.plus/REDACTED. Unsub: *179#. Help: 180. Failed charges will be retried after renewal. More T&C: Telkomplus.co.za”

After unsubscribing, one MyBroadband forum member received the following message: “You have insufficient credit or been unsubscribed: 104, FaithFirstTV, provided by AKINGA VERTICAL SERVICE PROVIDER (PTY) at R 0.03 RecurringDaily. Telkom Mobile”

Telkom Plus is the mobile operator’s own WASP service, which is powered by Akinga VSP.

WASPA last fined Akinga for violating its code of conduct in 2021.

MyBroadband contacted Akinga for comment, and the company explained that it is a master aggregator and not the content provider itself.

Telkom said it would investigate the issue, and if it found that any WASP exploited the vulnerability, it would “act accordingly”.

However, MyBroadband notified Telkom about the security vulnerability last year to arrange for coordinated disclosure.

The company immediately shut the offending API down while investigating the matter.

“Our partner has implemented two independent anti-fraud providers on each step of the subscription consent process,” a Telkom spokesperson told MyBroadband.

“This is in order to protect our systems against malicious attacks. These providers are specialists in the area and help us to monitor, analyse and block any suspicious incoming traffic.”

Telkom said it was testing a third provider to help detect fraud.

“As a safety measure our partner has removed the code in question until there is a satisfactory response from our investigations,” Telkom said.

“These days, most IT systems are constantly under attack by threat actors, and we always strive to implement proactive measures to combat malicious activities.”

Telkom assured it took any suspicious or fraudulent activities seriously and that its team was investigating this attack vector to determine if any WASPs used it to bypass their security measures.

“If we find any evidence of abuse we will act accordingly and have a zero tolerance towards subscription fraud,” Telkom said.

“Protecting our customers is our top priority. If there are any customers impacted by these bad actors we have a clear refund process in place which we will trigger immediately.”

MyBroadband contacted Telkom for an update on its investigation and whether victims of the fraud were refunded, but it did not respond by publication.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter