Join us now. It is free, and it takes less than 1 minute to register.
Register now
Subscribe to our daily newsletter. It is free, and it comes with many benefits.


+ Reply to Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 34

Thread: Security hole used to deduct money from random cell phones

  1. #1

    Exclamation Security hole used to deduct money from random cell phones

    I am writing to warn people about a shocking security hole that has allowed a local WASP to randomly deduct money from my cell phone account without my permission. What's worse is that these arrogant knuckleheads refuse to even admit there is a problem, in spite of the fact that R70 was deducted from my phone account in a single month, and I only discovered the problem when my airtime ran out.

    What's worse is that even if you send a "STOP" message, the initial amount is still deducted because they "know" that "your" number requested premium content from their system, so why should they refund it?

    Here's how it works: If you go to the following URL from your phone, and click on the sign up button, they will deduct R14 from your phone account every 3 days. That's around R140 per month for basically nothing. If you do the same thing from your PC browser, you get an error message.
    http://mobilewap1.oit.co.za/?c=206

    The reason for this is that the server gets your cell phone number behind your back without your permission. This is called the MSISDN number, and mobile phones on the GSM network seem to be happy to give out this information to any web site that knows how to ask.

    What they are supposed to do, in terms of the WASPA code of conduct, is send a message to your phone asking you to confirm that you wish to subscribe. After all, R14 is not a trivial sum. They don't. They are so confident that they already "know" its your phone that they leave out this step. Now for the scary part:

    Add in an extra bit from a PC browser and you can fool the server into believing it has already detected your MSISDN
    http://mobilewap1.oit.co.za/?c=206&msisdn=27841942222
    In this case the number is 084-194-2222 with the country code 27 at the front. Its a call centre for the company performing this ripoff. Of course you could also use their fax number (27.86.525.7845) and they'd be none the wiser.

    Worse still, there is little or no number checking, so you can add random digits on the end to create multiple subscriptions on the same number. Also, landline numbers are not excluded, so a number like 27114613294 (which is out of service) can be used. I have no idea whether they can actually deduct money from land line numbers, but I wouldn't be surprised if they tried.

    What happens next is that a page is displayed which allows you to subscribe this number to the "service", or if it has already been subscribed, you can view the "goods" on offer, in this case a few crappy GIF files that no one in their right mind would pay R14 for. Such are the joys of the mobile phone industry.

    Even more disturbing is that the SMS message that would allow the subscriber to "STOP" the subscription (after the R14 is already deducted) is sent to an out of order land line, making it difficult to unsubscribe, or even be aware of the subscription in the first place.

    Doing this kind of thing from a PC browser would lead them to discover your IP address and send you nasty letters, so don't do it! However, I also happened to stumble upon the Opera Mini browser, at
    http://www.opera.com/mobile/demo/
    This obscures your IP address and allows you to see how the phone would behave.

    So now a hacker could type in the URL into the mobile demo, make up a cell phone or land line number, and subscribe that unsuspecting person to a "service" that costs R14 every 3 days until stopped. You could do it to your boss, or your husband's mistress, or anyone else you don't like. Or your could use it to rob some poor pay-as-you-go subscriber from his/her precious airtime that he/she can barely afford in the first place. Did I mention the "service provider" are a UK company with a post box in Hong Kong?

    The "206" part of the URL is the one that caught me, but there are plenty of other valid numbers that work as well. All I can say is that most of the screen backgrounds and "videos" are pathetic, and certainly not worth the money.

    Not only is this totally wrong and unfair, but it clearly goes against what the WASPA Code of Conduct requires. I have complained to WASPA and the UK bunch have tried to discredit me and say that I'm a liar, and that there is nothing wrong with their method or their system. I can only hope that by bringing it to the attention of the wider IT community we can pressure the company to mend their ways and fix their system.

    The UK company is Morvec, offering a service called "Go Go Mobile". The local billing company is Opera Interactive and/or OxyGen8. This saga has been going on since the end of May and I'm now gatvol.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  2. #2

    Default

    If I send this via a PC browser, how will they be able to send me nasty letters as my physical address did not go out to them?

  3. #3

    Default

    Just to clarify, you went to a webpage on your cellphone. You then typed your number in and clicked signup, after you did this you found out it was a load of rubbish and got mad.

    While I understand there may be a loophole to signup for other people, is that what happened to YOU?

  4. #4
    Banned D3x!'s Avatar
    Join Date
    Jul 2010
    Location
    pew pew pew
    Posts
    18,617

    Default

    Quote Originally Posted by fonoi View Post
    Just to clarify, you went to a webpage on your cellphone. You then typed your number in and clicked signup, after you did this you found out it was a load of rubbish and got mad.

    While I understand there may be a loophole to signup for other people, is that what happened to YOU?
    I think the point is he didn't confirm his number, it is automatically picked up, at least that is what I gathered

  5. #5

    Default

    I have seen something similar to this, some UK company as well, got an strange SMS and with one of these suspicious link. Traced them down to some UK company and they not listed with WASP so could not loge a complain.
    Q9550,OCZ 4G DDR2,HIS 4850,XONAR D2X in HAF932+AOC 53X+SideWinder/Reclusa
    4096kbps [email protected] uncapped
    Lenovo S10 2g RAM+HTC Desire+Atrio M8

  6. #6

    Default

    Quote Originally Posted by ab-user View Post
    If I send this via a PC browser, how will they be able to send me nasty letters as my physical address did not go out to them?
    They can get your IP address. This can be traced to your user account.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  7. #7

    Default

    Quote Originally Posted by fonoi View Post
    Just to clarify, you went to a webpage on your cellphone. You then typed your number in and clicked signup, after you did this you found out it was a load of rubbish and got mad.

    While I understand there may be a loophole to signup for other people, is that what happened to YOU?
    No, I viewed an ad for a different WASP supplier, but on the same server. I did not sign up to anything, and did not supply my number. Next thing I know they have deducted R14 x 2 from my phone account.

    Investigating the matter further (and never signing up to anything) cost me another 3 x R14.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  8. #8
    Banned DJ...'s Avatar
    Join Date
    Jan 2007
    Location
    Gauteng
    Posts
    70,309
    Blog Entries
    4

    Default

    Donn, you have some seriously bad luck hey? The QVC issue (which considering the settlement terms, I assume you will not discuss?), MTN not playing ball regarding the DNC databases and now this. I'm of the opinion that 90% of WASPs out there are under-handed crooks...

  9. #9

    Default

    Quote Originally Posted by donn_edwards View Post
    They can get your IP address. This can be traced to your user account.
    And on what legal grounds will my ISP provide my contact details to them?
    PS: Being annoying is not legal grounds to divulge subscriber details

  10. #10
    Super Grandmaster ToxicBunny's Avatar
    Join Date
    Apr 2006
    Location
    Crimetown
    Posts
    64,138

    Default

    I have to admit this little gif could be quite useful

    Quote Originally Posted by Korn1 View Post
    I have been called a retard my whole life

  11. #11

    Default

    Quote Originally Posted by fonoi View Post
    Just to clarify, you went to a webpage on your cellphone. You then typed your number in and clicked signup, ...
    Read the OP !

  12. #12

    Exclamation

    Quote Originally Posted by DJ... View Post
    Donn, you have some seriously bad luck hey? The QVC issue (which considering the settlement terms, I assume you will not discuss?), MTN not playing ball regarding the DNC databases and now this. I'm of the opinion that 90% of WASPs out there are under-handed crooks...
    Surprisingly, the QVC settlement was quite amicable, once we actually met and could talk face to face without the interference of a bolshy lawyer who tried to stir things up so he could earn more fees They have kept their side of the deal and I'm happy to keep mine, which was an undertaking not to write any more blog articles about them. Fortunately I haven't needed to.

    I have been trying to get MTN (and I'm sure they're not the only ones but they happen top be the one I use) to put the interests of their customers ahead of the interests of making a quick buck, but it isn't easy. They are a lot better than they were. But these WASPs are frankly a pain in the butt. There is no global "unsubscribe" list, and if you unsubscribe today there is guarantee they won't subscribe you again tomorrow. It sucks.

    Now I discover that anyone with a browser can subscribe anyone else to one of these "premium content" (pardon me while I throw up) services, and the only thing the consumer can do in self-defence is to unsubscribe! That's assuming they actually get the SMS telling them they have been subscribed. In my case there were no "welcome" messages at all - I discovered I had been billed when my airtime ran out.

    Their response is woefully inadequate: "we have unsubscribed you" and a refund. No admission that anything is actaully wrong with their server, and the assertion that I really did sign up for this blasted rubbish, even though they can provide no proof. That's a bit like saying that every rape victim "asked for it".

    If anyone really thinks that I voluntarily signed up for one of these services, please send me your cell number and I will gladly disabuse you of this idea.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  13. #13

    Default

    Quote Originally Posted by ab-user View Post
    And on what legal grounds will my ISP provide my contact details to them?
    PS: Being annoying is not legal grounds to divulge subscriber details
    They can accuse you of a violation of your ISP terms of service: hacking, etc. That's enough to get your ISP to send you a warning and/or terminate your subscription. If they think you are doing this to hundreds of people they may be able to claim you are spamming.

    These servers claim to know your cell no, your phone model and your IP address. They try to use this spoofable information to prove that "you" subscribed to their service, even when you didn't. It's a big admin hassle that you want to avoid just to protect your airtime. Since they used up 90% of my remaining airtime in 4 days, I decided it was worth the hassle to kick up a fuss.

    I'm not suggesting anyone actually *hack* their system, but be warned that your cell phone is not private or anonymous on the internet. Much less so than the average PC.
    Donn Edwards
    Security Now! listener
    So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

  14. #14
    Super Grandmaster Scooby_Doo's Avatar
    Join Date
    Sep 2005
    Location
    In a Box, Next to a tree.
    Posts
    5,347

    Default

    Quote Originally Posted by donn_edwards View Post
    They can accuse you of a violation of your ISP terms of service: hacking, etc. That's enough to get your ISP to send you a warning and/or terminate your subscription. If they think you are doing this to hundreds of people they may be able to claim you are spamming.

    These servers claim to know your cell no, your phone model and your IP address. They try to use this spoofable information to prove that "you" subscribed to their service, even when you didn't. It's a big admin hassle that you want to avoid just to protect your airtime. Since they used up 90% of my remaining airtime in 4 days, I decided it was worth the hassle to kick up a fuss.

    I'm not suggesting anyone actually *hack* their system, but be warned that your cell phone is not private or anonymous on the internet. Much less so than the average PC.
    Lol, no they won't.
    =====
    If trees could scream would we be so cavalier about cutting them down. What if they screamed all the time for no reason?
    =====

  15. #15
    Super Grandmaster
    Join Date
    Oct 2003
    Location
    Stellenbosch
    Posts
    5,451

    Default

    I've got an old prepaid simcard lying around. So the OP claims that by clicking on the 2nd link he posted (substituting my MSISDN with the one in the link) I can subscribe anyone? I think it's worth a try. Don't mind cutting up the simcard afterwards.

    So I did this on my pc and I get the signup page:
    "Welcome to Go Go Mobile, Africas Number 1 mobile Site This is a subscription service charged at R14 every 3 days, Download as much content as you want for no extra cost, all this for R14 every 3 days!! For Help call 0800 992230 or email [email protected].
    CLICK HERE TO JOIN NOW
    Network Charges may apply when using this service. By clicking below you confirm that you are over 18, and you are joining the cellmates service
    Go Go Mobile have requested that your mobile number be made available
    By clicking JOIN NOW you agree that you are subscribing to Go Go Mobile"

    Ok, so I clicked on signup and get 5 downloadable links, an unsubscribe link and also a terms and conditions link. No airtime deducted so far.

+ Reply to Thread
Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •