The Payforit system depends on Accredited Payment Intermediaries. These are companies which are “trusted” by networks to put financial transactions through their payment systems. A cynic would say that these companies are entirely unnecessary, as the networks could do this themselves. However they perform the vital function of distancing the networks from the dodgy level2 providers that operate many of the scams.
The networks can claim that they only work with “trusted third parties”. These “trusted partners” are at least outwardly respectable. They include
- Imimobile (Tap2Bill)
Until recently, the API’s also included Veoo. However, in 2019,this company was found to be operating fraudulently by the Phone-paid Services Authority and has been banned and fined £800,000. They made the mistake of getting caught – other APIs tend to be more careful.
The seemingly respectable APIs contract with “service providers” who provide the “services” which generate complaints. These service providers can be based anywhere in the world (Cyprus, the UAE and Belize for example) where consumers are unable to take legal action to recover fraudulently taken funds.
A whistleblowers’ account
The text below is taken verbatim from an account provided by someone who worked for one of the Level 1 providers. Some details have been redacted to protect the identity of the informant. For a period, Payforit was the biggest issue, but that is now changing as the Payforit branding was discontinued in December 2019. It has come to attention that Three are still using the MSISDN passthrough which was the most serious vulnerability of Payforit. Effectively, all the problems of the Payforit system continue, only the name has gone.
we spoke briefly on Facebook a few days ago.
As I said I worked for an aggregator for Payforit and premium SMS called xxxxxxxxxxx – for NDA reasons please refrain from using my name on the website 🙂
I joined in as a technical support specialist in 2015, I’ve had absolutely no exposure to this sector before so I was unaware of the dishonesty and how unethical it is.
I cannot remember off the top of my head exactly how much is the split for the networks ( Vodafone EE ETC ) in terms of PSMS/PFI but I can go through my old emails and see if I can find out but I honestly think its a negotiated split between aggregator, network and customer.
What I wanted to share is my experience there – as I said I joined as a tech support advisor, ,there’s essentially 2 types of business that goes with aggregates and i’ll try my best to walk you through it although keep in mind this story is over 3 years old so some details might have changed but it is an accurate description of what I witnessed at the time.
1- Premium SMS
In an ideal world you actually pay for a service but what happens is that a potential customer gets their hand on lets say 100,000 phone numbers -how do they get it is unknown to me – they then use a technology ( through the aggregator) called HLR, that technology allows the aggregate to ping these numbers and get data on them like what is their network, is it a pay as you go or contract, is the number active or not.
Bulk and Premium
This list then gets filtered taken by the customer and again through the aggregator and the active numbers get sent a bulk message offering the supposed premium service. usually its something along the lines of “Text WIN back to NUMBER to win an iphone” the victim then texts the premium number to win said iphone and poof. you’re in for £4.50 a week, mind you there is an iphone/prize usually at the end of every month but it is 1 prize and if you think about it the price of it is usually nothing compared to the profit the “Customer” Is making. In this particular type -of what I’d refer to as a scam despite being legal – the clear earnings per customer can run up to £100k per month per customer sometimes even more depending on how much bulk sms they send and so on. Also mind you that the end user ( poor buggers who get scammed) rarely take notice and they end up paying 20 quid a month extra on their bill sometimes for a year at an end without noticing.
The frightening prospect here with these bulk SMS platforms is that – while legally disallowed – you can send the SMS from a name (Not a number ) that can be anything, for instance DAD or HMRC. While xxxxxxxxx to my knowledge kept a tight rule on this I don’t know about other aggregators.
The earnings for the “Customers” are then held for a period by the aggregator( not sure how long as I didn’t do work with finance) but from what I remember in the vicinity of a month to 2 months. Once this clears the earnings then go to customers banks. The reason for this is for the aggregator to pay back any potential refunds that might happen in that period. Also if the promotion gets suspended or closed by the regulators the aggregator pretty much keeps the money minus any refunds.
The refund process is initiated when the end user requests it TWICE. the first request they get an automated reply via email or text that explains the charges to an extent, the 2nd request they get offered a partial refund and if they keep chasing they will get full refund, also they will get a full refund if the network is the party that requests an investigation. some aggregators prefer paying back in paypal to the end user’s phone number. the reason for this is that its less transfer fees, and most end users ( who are usually either elderly or do not speak english very well) do not have paypal accounts, the ironic part is that paypal sends a text saying “You have a transaction waiting from so and so” at which point the end user goes “Naaah that’s another scam” and doesn’t actually claim their refund back. Once the refund is not claimed in a month or so it goes back to the aggregator.
The lucky few who ask for a cheque would be fine.
The conclusion here is that while PSMS is being used to scam people it still requires end user to actively “Subscribe” to the service.
And now to the main event. Pay for it is by far the worst of the worst due to a few reasons
1- If you’re connected to the internet through your 3g/4g you do NOT need to put in your phone number to subscribe, it gets it directly for you.
2- when it first came out you could’ve pressed the “Subscribe” button once and done – they’ve changed that to 2 clicks essentially one telling you how much you’re paying and then confirm the subscription
3- it is completely manipulable by the “Customer” (Or it was at the time I was in this business) I will try to demonstrate how in a few images below
So the ideal work flow is an end user is surfing facebook or the internet – they see a supposed product that they would like to purchase, they press the payfor it purchase button, confirm and voila you’re done ( be that a 1 off or a subscription) – the regulations are that both messages in the payfor it api window have to be clear and advise the end user what are they paying for and how much are they paying for.
This is where it gets dodgy with some customers ( to be fair I never saw that particular behavior from a xxxxxxxxxxx customer without the customer being warned and/or their promotion taken offline ) Below is the ideal PFI window ( as seen on Three website )
1- what you’re paying for and its price
2- confirmation that you wish to subscribe or pay
3- Success/fail message
Now I’m not sure how technical are you and i’ll try to keep it simple and give a layman’s terms example
while this window is operated by payforit – the actual window can be hosted as an iframe inside another website – this means the 3 buttons above and the messages can be MASKED by other images that in 1- says Get it now instead of “Buy now for £4” which means the end user has no idea they’re actually paying anything
then in 2 – instead of the “Confirm this charge to your mobile” it can just as easily have a masked image saying just “Confirm”
and in 3- it can completely cover the payment received and you’ve paid £4 and the smaller message below to just say “Success”
Now payforit , the aggregators and the regulators and the networks usually stop any promotion that does that as soon as it is reported but the compliance guys in aggregators can’t keep track of every single promotion, mind you the window itself is just a code that can be pretty much posted in a different web page than the one the aggregator checks every month for “compliance and due diligence” process.
in simpler terms its like you having a TV
– payfor it being the programming on TV – clear and legal
– you – being the customer – can simply put a sticker in a part of the screen to hide or change the text in the area you don’t want the people watching tv ( the end users ) to see
– now pay for it ( TV channel) doesn’t know and cannot really track that you put a sticker on your TV unless a watcher ( End user) Tells them to.
This is essentially the easiest example I can give you in laymans terms.
So yeah this is what I can remember off of the top of my head about this nasty business. In conclusion i want to tell you that aggregators KNOW that their customers are dodgy but as long as they walk the “Fine line” of legality they aggregators don’t mind, they are making a TON of money out of it and the aggregator i worked fall is small fish compared to other names in the market. I have seen figures in the hundreds of thousands going to 1 customer every month, the aggregators as i said previously keep the money for a while to deal with potential refunds etc but I can honestly tell you that 90% of the customers for those aggregators are dodgy thieving people, they prey on the older folk and those who cannot speak English very well and – I’m a foreigner myself living in the UK – I am disgusted to tell you that most of these “Customers” are not British.
Thats pretty much my take on it – if you need more information just ask me here or on facebook and I’ll see if i can dig up any more information ( cause I kept emails ) from then.