Cell number recycling headache in South Africa

Mobile number recycling and SMS store-and-forward mechanisms can result in a nasty shock for South African cellular customers, as a MyBroadband reader recently experienced.

The subscriber informed us of their experience where they signed up for MTN’s Shesh@600 product and started receiving SMS messages stating they’d signed up for various daily subscriptions.

They initially suspected something reminiscent of the Telkom vulnerability in 2023 that enabled wireless application service providers (WASPs) to subscribe customers without their knowledge.

Fortunately, it turned out to be a false alarm. MTN explained that the customer had merely received SMS messages that had been sent to the number before it was recycled, but were never delivered.

Subscriptions are cancelled when a number is recycled to prevent its new owner from being billed for services they did not sign up for.

The reader said they had signed up for MTN’s Shesh@600 product for R399 per month, using the mobile operator’s telephonic channels to subscribe.

They received the router and SIM on 24 June 2025, but had to wait for the SIM to be activated before setting everything up.

He explained that he got the router and connection working on 25 June 2025. He then spotted an unexpected text message when navigating the router’s settings.

“Y’ello. Thank you for subscribing to MYMINIMALIST at R3.00/day or lesser amount,” the message read.

The message also included various links and contact numbers to manage such subscriptions. According to the customer, they never signed up for any premium subscription.

They then used MTN’s *123# USSD code to cancel the service and block all third-party subscriptions. The response from the USSD command was that all subscriptions were already blocked.

On 26 June, they checked the messages on the router again and spotted another SMS thanking them for subscribing to “JustSoccer” at “R3.00/day or lesser amount.”

MTN SA told MyBroadband that it investigated the customer’s MSISDN and could confirm that no active content service subscriptions were associated with their number on its systems.

It contacted the third-party service provider for further verification, and their findings showed that the MSISDN is a recycled number that was previously subscribed to certain services.

“All those services have since expired or been terminated,” MTN SA said.

“Any messages received were related to historic subscriptions previously linked to the number. These services have no connection to the Shesh@600 product.”

It added that no new subscriptions have been added to the customer’s number, and no billing for said services had been processed.

Therefore, the subscription messages the customer spotted result from the SMS store-and-forward mechanism.

SMS store-and-forward enables text messages to be temporarily stored by a messaging centre, before being delivered to the recipient’s device.

This enables messages to be delivered after a recipient’s device comes back online or becomes reachable after being switched off or disconnected from the network.

Telkom vulnerability allowed dodgy R3-per-day subscriptions

In 2023, a MyBroadband reader on Telkom Mobile discovered that he had been subscribed to a WASP while browsing the Internet, prompting him to investigate the issue.

He identified that malicious actors bought advertising space on websites that provided access to pirated and other prohibited content. He said the ads were running code targeting South Africans.

Upon detecting a Telkom subscriber, the ads secretly load a Telkom URL in the background, subscribing the customer to scam content providers.

The URL resembles the network operator’s WASP double opt-in system application programming interface (API).

The URL was also susceptible to cross-site scripting, enabling attackers to run their code in the background to subscribe WASPs without user interaction.

Telkom immediately shut down the offending API while it investigated the incident. It explained that, through a partner, two independent anti-fraud providers checked each subscription consent step.

“This is in order to protect our systems against malicious attacks. These providers are specialists in the area and help us to monitor, analyse and block any suspicious incoming traffic,” said Telkom.

The company assured that if it found any evidence of abuse, it will act accordingly.

“We have a zero tolerance towards subscription fraud,” Telkom said.

“Protecting our customers is our top priority. If there are any customers impacted by these bad actors we have a clear refund process in place which we will trigger immediately.”