Welcome
Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.
What is Payforit?
Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.
It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.
In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.
How does Payforit work?
Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)
Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.
With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.
So what’s the problem?
Briefly, when browsing or using Apps on a 4G network, this ‘service’ is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.
Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.
Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.
It is also very easy to simulate a user clicking or tapping a button using Javascript. Javascript is client-side (meaning that it runs on your device) code used widely on the internet to provide interactivity with websites. Payforit can’t tell whether a user willingly clicked or tapped a button, or whether it was done with Javascript code, without the user’s consent. In both cases it will pass the consumer’s phone number to the website and allow them to make charges against it. (2)
Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)
Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.
References
- Full rules of the Payforit scheme
- Adjudication from PSA showing use of Javascript exploits
- Article on rogue Apps in Google Play Store
