Cellular21.11.2013

Secret method of stealing your airtime?

SIM swap

Industry players have raised the alarm that MSISDN pass-through – which allows visitors’ MSISDN to be recorded when they visit a mobile site – may be behind a spate of unauthorised billing of South African cellular users. Mobile operators, however, say this is not the case.

Many mobile users in South Africa have complained that Wireless Application Service Providers (Wasps) are billing their accounts (SIMs) without their permission.

These users claim that they never subscribed to a paid SMS service, and definitely did not receive a double opt-in message to confirm their subscription.

This raises the question how these WASPs gain access to subscribers’ mobile numbers and bill them without following double opt-in rules.

According to well-placed industry players, who asked not to be named, some WASPs are recording the details of visitors to their mobile websites.

This mobile information is then used to subscribe people to their paid services – often without their knowledge. Billing is typically recurring – daily, weekly or monthly.

“I believe MSISDN pass-through was silently turned on for a number of Wasps when double-opt-in was introduced,” said one industry player. “This was probably to compensate them – and the network – for loss of revenue.”

According to the industry source the Wasps were allowed to bill SIMs based on a subscriber clicking on website buttons, without any SMS dialogue taking place.

“Subscribers are typically unaware that they are being billed, and have not explicitly given consent for this subscription service,” he said.

MSISDN pass-through – the bigger story

According to the industry player, the bigger problem is that MSISDN pass-through is fallible, and that MSISDN swapping occurs periodically.

When MSISDN swapping occurs, the wrong MSISDN information is passed via the Wap gateway. The wrong person (SIM) is then subscribed to paid SMS services.

“MSISDN swapping not isolated, it’s endemic,” he said. “We had 10 cases in the past week – most of which occurred in machine 2 machine SIMs”.

Vodacom responds

MyBroadband received information that some machine-to-machine SIMs have been billed for Vlive services.

Vodacom said that Vodacom disabled MSISDN forwarding almost 2 years ago. “The only way to subscribe via any one of the carriers (e.g. SMS, WAP, USSD) is to complete a double opt-in process,” Vodacom spokesman Richard Boorman said.

To sign up for WAP services via mobile, said Boorman, the customer has to enter their mobile number into the WAP gateway for the WASP.

“We then check that against the MSISDN of the phone being used to make sure that nobody is able to randomly sign someone else up for services. If the two numbers don’t match then the subscription process stops,” Vodacom said.

Boorman added that they are not aware of problems related to MSISDN swapping, but will be happy to investigate it if they are provided details about this.

Telkom Mobile

Telkom Mobile said that it currently only allows MSISDN pass-through for their self service portal.

“All WASPs that want to charge any customer have to go through the Double Opt In (DOI) process,” said Telkom Mobile.

Telkom Mobile said its call centre has access to a system to manage and monitor all these DOI transactions.

“Customers can contact the call center to cancel their subscription at any time and it will be automatically cancelled. The customer will receive an SMS notification to confirm the subscription has been cancelled,” said Telkom Mobile.

MTN, Cell C mum on unauthorised billing, MSISDN pass-through

MTN, Cell C and Telkom Mobile were asked about potential unauthorised billing through MSISDN forwarding and MSISDN swapping.

  • Cell C – no comment
  • MTN – no comment

It is therefore not clear whether MTN and Cell C subscribers are vulnerable to this unauthorised billing.

It is also not clear if it is possible for subscribers to protect themselves against unauthorised billing from WASPs through these channels.

More on WASP billing

Your airtime stolen, and all you can do is complain

Massive fight to get R7-a-day money back

R5-a-day cell service nailed

How “SMS spammers” get your number

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter