Stop Payforit Fraud
Response to PSA Consultation on Business Plan 2018/19
I am writing this response because these consultations tend to get many responses from the industry and few or none from the consumers that PSA are supposed to be protecting.
I have begun to campaign for reform of direct carrier billing in the UK after a member of my family was the victim of fraud via ‘Payforit’. She was signed up, without her consent, to a subscription service costing £4.50 per week. I was able to cap her losses at £4.50 by sending a STOP message within three hours of the initial subscription message. However, the battle to get the £4.50 returned took eight weeks, twelve telephone calls, 17 emails two ‘signed for’ letters and the threat of legal action. My battle to get an explanation of how she came to be subscribed is ongoing.
The timescales and difficulty I experienced in complaining are completely in conflict with para 2.6 of the Code of Conduct, and I am not alone in experiencing these difficulties. The failure to deal with complaints in a timely manner should be sufficient to enable the regulator to suspend the offending company’s ‘services’.
I was astonished at the lack of any form of consumer protection against these frauds and at the lack of cooperation or concern from the network, the level 1 provider and the regulator.
A look through the user forums of the major networks will leave nobody in any doubt that there is a serious problem with fraudulent subscription services. Hardly a day goes by without a consumer claiming that they have been signed up, without consent, to a subscription service costing £4.50 per week (or occasionally less). I refuse to believe that all these people are lying or stupid!
Payforit is an archaic and inherently insecure payment mechanism. It has not adapted to reduce the incidence of fraud as other payment mechanisms have. It doesn’t have a centralised service for complaints and disputes. It doesn’t have a refund mechanism. PSA are well aware of these shortcomings, but do nothing to encourage reform. They know that malicious code in a web page, or in a downloaded App can sign users up to these services, without the consumer being aware that it has happened. They have been aware of the use of these exploits for several years, but nothing has been done to prevent them. They sit on their hands instead of being proactive in bringing these frauds to a halt.
Consumers are becoming increasingly aware of the fraudulent use of direct billing and are coming to regard the industry as a bit like the ‘Wild West’ with an ineffective and reluctant sheriff in the form of PSA.
Q1 – Do our plans for 2018/19 sufficiently deliver our role as a regulator?
Most consumers are unaware of the role of PSA and only become aware when they have a problem with a ‘service’. Even the industry doesn’t seem to understand the regulator’s role. One of the major networks still refers defrauded customers to PSA ‘to get a refund’, implying that PSA would deal with their individual complaint.
Those consumers who refer issues to the regulator are frequently dissatisfied. Facebook reviews show a predominance of 1 star reviews from consumers dissatisfied with the service PSA has provided. Some of this dissatisfaction stems from a misunderstanding of PSA’s role. However, there is nothing more galling for a complainant, weeks after reporting a ‘service’, than to find that ‘service’ is still defrauding consumers. I see little prospect of improvement while the PSA exhibits such complacency. The regulator needs to engage more with the consumers it is supposed to be protecting.
Consumers will compare the consumer protection offered by phone paid services with those of other payment methods (Paypal, Contactless Payments, Direct Debits, Credit Cards, Debit Cards etc). The providers of all these payment methods provide clear mechanisms for the resolution of disputed transactions. Payforit and other direct operator billing methods offer no clearly defined or published mechanism for the resolution of disputes.
Obtaining a refund for losses due to fraud is rarely possible due to the nature of the ‘service providers’ who hide behind an automated phone number, an email address which is never replied to, and an accommodation address shared with dozens of other companies. Most consumers admit defeat and write off their losses.
If I dispute a direct debit with my bank, the burden of proof will rest on the payee to prove that the debit was authorised and not with the payer to prove that it wasn’t! If I report fraudulent transactions to my bank, they will take the matter seriously and put a stop on any further fraudulent payments. The MNOs don’t even offer this minimal level of support. Instead, they ask the consumer to send a message to the fraudster asking them to STOP. To add insult to injury, they are charged for sending this message!
Payforit expects the consumer to negotiate directly with the originator of the charge. What is worse is that, if the recipient of the payment fails to respond, there is no process to follow to resolve the issue. In the absence of a defined process, these uncooperative companies continue to trade for months, until the volume of complaints is such that PSA cannot ignore them.
It is not the role of PSA to adjudicate on individual disputes. However, it could insist on the introduction of a mechanism by which consumers can receive swift refunds when they are defrauded by rogue companies. Much of this could be automated, as it is with other payment mechanisms.
The problem is not that fraud happens. It will happen to some extent with any payment system regardless of the security and authentication measures put in place. Fraudsters are continually refining their methods and finding new ones. Most payment systems respond to attempted fraud by putting effort in to fraud prevention, but this has not happened with the arrangements for charging to a phone bill.
The problem is the lack of any defined process for the consumer to resolve their complaint (within a reasonable timescale) and obtain a refund if one is adjudged to be appropriate. Current arrangements would appear to be in breach of the Consumer Rights Act 2015 as it applies to digital services, in terms of methods and timescales for dealing with consumer complaints, and in terms of the refund process.
Looking at Tribunal Cases in the 2017 calendar year, of 18 cases, no less than 8 related to subscription services priced at £4.50 per week or less. A further 7 related to non-compliance with sanctions. In most of these 7 cases, the initial breach resulted from a similar subscription service. Surely money and time could be saved by subjecting these ‘services’ to a more rigorous regulatory regime.
Fraudulent subscription services are doing untold harm to the reputation of the industry as a whole .
Q2 – Do you have any comments on the proposed budget for 2018/19?
The priorities here seem to be wrong. If these payment mechanisms want to gain consumer trust, the amount spent on regulation will probably need to increase, at least until the industry is ‘cleaned up’.
From the weak and slow actions of the networks and the regulator, one gets the impression that the MNOs and the regulator are quite content to be complicit in fraud.
Resources need to be deployed to investigate these frauds quickly, as soon as the regulator becomes aware of them. There really is no excuse for fraudulent ‘service providers’ to be allowed to continue plundering consumers’ phone accounts for months before the regulator belatedly acts.
Q3 – Do you have any comments on the proposed levy for 2018/19?
In Appendix A you write:
“Different types of content, goods and services have different consumer satisfaction levels. They operate at different levels of compliance with our Code of Practice, as measured by the consumer queries and complaints we receive, and the monitoring we are able to do”
Would it not be possible to impose different rates of levy on different services, based on the regulatory work they generate? A higher rate of levy on subscription services priced at £4.50 or less, and without a double opt-in, would seem appropriate given the evidently large number of complaints these generate.
Of course, one method of reducing costs would be to require ALL subscription services to have a double opt-in. (This is currently recommended in your guidance, but not mandated). It is clear that your guidance is ignored by some rogue companies which deliberately price their service at £4.50 per week in order to avoid these requirements, knowing that malicious code can then be exploited to obtain ‘consent’ from ‘subscribers’.
It seems unfair that services that create few complaints and are fully compliant with the Code are charged at the same rate as services which continually test the boundaries of the Code and generate significant volumes of work for the regulator.
If the size of the levy is to be reduced, the level of consumer complaints needs to be reduced. Making ‘direct carrier billing’ services ‘opt-in’ rather than ‘opt-out’ would make a massive difference, as many consumers are unaware that third parties can charge their bill in this manner. The GDPR should address this, as companies will need to have explicit and unambiguous consent to pass consumers phone numbers to a third party, whether for charging purposes or not. It will no longer be acceptable to hide this consent in the small print. A requirement that consumers opt-in to the use of PRS services would increase awareness of these services and make consumers more careful when navigating ‘service providers’ web sites.
PSA need to become more effective at collecting the financial penalties they impose. Fined services should be suspended until the fines and administrative charges are paid. An increased rate of collection of these financial penalties would allow a reduction in the levy on compliant services.
Q4 – What is your view on the estimated size of the market for 2018/19?
Direct payments from ‘phone accounts are competing with an increasing number of other payment processes. Consumers are poorly educated about these services and often, as in my case, only become aware of the potential to charge goods and services to a phone bill when they are the victim of a fraudulent transaction. Consumer confidence is the key to growth, but it has been given a low priority. In my view ‘Payforit’ and other direct to bill payment mechanisms will gain a smaller market share of a growing market. Until the industry takes its responsibilities to consumers more seriously, they will choose to pay by other mechanisms wherever possible. If Direct Carrier Billing is to compete seriously for market share, it will need to implement consumer protection measures and refund mechanisms similar to those of its competitors.
Two major Australian MNO’s (Telstra and Optus) have been forced to abandon third party billing for premium rate subscription services after a succession of scams similar to those we have experienced in recent years. Unless the networks stop aiding and abetting these frauds, public opinion will eventually force a similar result in the UK.
Q5 – Do you have any other comments on the Business Plan and Budget 2018/19?
PSA seems to listen to the service providers, but appears out of touch with the concerns of consumers. A consumer panel could help to correct this imbalance. Consultations rarely include any input from consumer organisations. The lack of a clearly defined disputes resolution process puts consumers at a massive disadvantage. PSA has failed to protect consumers adequately thus far and I have little confidence that this will change.
Reading the https://psauthority.org.uk/for-consumers/solutions-centre page of the PSA website one finds this:
I was charged when I clicked on the X symbol to close the site. What do I do? (false X?)
Answer: There should always be a way to exit the page without making a purchase. In some instances you must interact with the site but you should be able to exit the site. In some circumstances, exiting a site may lead you to an advert for another service. If you do not want to exit in this way, enter a different website address in your browser toolbar.
After reading this the consumer comes to the conclusion that ‘anything goes’ in this industry. It doesn’t matter how you trick consumers into clicking on a disguised subscription link. According to you it’s legitimate to disguise the subscribe button as an X (to close a popup!). That is immoral and unethical. I can’t believe that an organisation, supposed to protect consumers, implies, in print, that it thinks this is an acceptable practice.
If the industry is to dispel its ‘Wild West’ image it needs to stop condoning these practices and state, quite simply, that they are fraudulent and wrong. Deceptions of this sort are in conflict with the Code of Conduct. They destroy consumer confidence. PSA would do well to review its guidance to consumers, to avoid the impression that it condones fraudulent practices. It should be encouraging consumers to complain when they encounter these deceptive practices, and taking action against the perpetrators.
PSA needs to be able to be held to account when they fail to act in a timely manner to prevent consumers being defrauded. It seems that the economic survival of offending companies is always put ahead of consumer protection.
By providing a mechanism for third party payments to be taken from consumer’s telephone accounts, the MNO’s are setting themselves up as payment processors. I therefore believe it is fundamentally wrong for the MNO’s and level 1 providers to be exempted from the requirements of the Payment Services Directive v2 (PSD2). The exemption, however, restricts both the size and type of purchase that can be made via Direct Carrier Billing. If services like Payforit want to be able to handle larger purchases, or be used other than for the purchase of digital content and similar products, they will need to conform to the requirements of PSD2.
In fairness, direct carrier billing services should be subject to the same regulations as the payment services they are competing with. The directive provides additional safeguards to consumers. It reduces their potential losses from fraud, and requires the Service Providers to provide robust, two factor, authentication. The directive also forces Payment Service Providers to provide a proper dispute mechanism. I am disappointed that consumers will be denied the additional protection these safeguards would have afforded them.
Ultimately it is not good enough to say that the MNO’s are just providing a payment mechanism. They are responsible for the design and rules of that payment mechanism, agree to provide it to their customers, and profit from it. It is time that the regulator forced them to take their responsibilities seriously and provide support to customers who have been defrauded.
The suggestion that PSA might look at a system whereby consumers might be refunded automatically when a service provider has been found non-compliant is welcome, but does not go far enough. The current system of handling third party payments is unfair to consumers and needs to be changed.
In the event of a disputed transaction, the burden of proof should lie with the recipient of the funds to prove that the payment was taken lawfully and in compliance with the Code. In the absence of such proof (within a specified period, say 3 weeks) the consumer could and should be automatically refunded. At present, many of these ‘service providers’ fail to engage with consumers, on any meaningful level, leaving the consumer with no redress and no refund.
Another issue is that, even if the service provider accepts that a refund should be made, there is no proper mechanism for that to happen. There is a general principle in commerce (embodied in the Consumer Rights Act 2015) that refunds should go to the account from which the original payment was made.
Refunds for transactions made on a credit or debit card are made back to the same card. If a fraudulent payment occurs on my bank account, the refund is made to my bank account. When a Paypal payment is reversed, the refund will go back to the Paypal account from which it was taken.
Why can’t refunded Payforit charges be returned to the account from which they were taken? Why can the refund not be made by the same method and with the same speed and ease as the transaction which is being reversed? We are told that this is ‘technically impossible’. This just goes to show how anachronistic and poorly regulated this payment system is.
The industry is at a turning point. If it continues to turn a blind eye to fraud it will lose consumer confidence, and remain a niche payment system. The alternative is to take steps to prevent abuse of the payment system by fraudsters. Direct carrier billing can compete with other payment services, but only if it can match them, not only for convenience, but for security and consumer protection.
Payforit is not a company, but is the name given to a system of making charges to ‘phone bills. The system is run by the four major networks (O2, Three, Vodafone and EE).
Many consumers are unaware that when they are browsing the internet over a 4G connection, clicking on a link can result in their phone number being passed to a company to be used for charging purposes. This is fundamentally different to what happens when using a WiFi connection, where the consumer would have to knowingly enter their phone number.
The Payforit system assumes that all the companies making charges through it are reputable and will deal with complaints. In reality many of these companies (especially the scammers) are almost impossible to talk to. The helplines are often automated with no option to get a complaint dealt with by a human being.
When a consumer receives charge on their bill, their first response is to call their network. The network denies all responsibility saying it is a third party charge. They are told to ask for a refund from the third party which has charged them.
The consumer takes this advice and tries to contact the company on the published helpline number. If they are lucky the helpline will respond with a quick refund. The scammers do this because it enables them to reduce the number of complaints, thereby lengthening the time they are able to operate. If you are unlucky the company will refuse to refund you, or worse still will be impossible to talk to.
At this point the consumer may go back to their network The network will still not accept responsibility and will refer them to PSA.
The problem with PSA is that it is not an ombudsman or a dispute resolution service. It doesn’t deal with individual complaints.
So the consumer is left with no means of resolution other than the courts. He could go the small claims court (which will mean he has to shell out more money!). The claim is unlikely to be disputed and he will probably succeed in getting a judgement. The problem then is in getting the judgement satisfied. Most of these companies have a headquarters address which is nothing more than an a post office box. There are no assets to track down and there is no property to put a charge on.
Given the huge volume of complaints about these services, an ombudsman service is urgently required.
The regulator is currently consulting on its business plan for 2018/19. The PSA seem to live in bubble where they are unaware of the scale of consumer dissatisfaction. It is estimated that only about 2% of defrauded consumers take the time to make a complaint. Whilst the regulator lacks effectiveness, they continue to pat themselves on the back for doing a good job!
I am making a submission as an interested consumer and I would urge others to do the same. The regulator needs to understand that there is a serious problem here and that consumers need a reliable method of obtaining a resolution when they dispute a Payforit transaction.
My response to the consultation can be read here.
The closing date for responses is 26th January 2018. Instructions for submitting responses are in section 8 of the consultation document, and are also reproduced below.
8. Consultation Process
8.1. Please structure your consultation response as answers to the following questions:
Q1 – Do our plans for 2018/19 sufficiently deliver our role as a regulator? What else do you think we should be doing or not doing?
Q2 – Do you have any comments on the proposed budget for 2018/19? If you recommend any changes, please clearly identify which areas of activity you expect this to impact upon.
Q3 – Do you have any comments on the proposed levy for 2018/19?
Q4 – What is your view on the estimated size of the market for 2018/19?
Q5 – Do you have any other comments on the Business Plan and Budget 2018/19?
8.2. We plan to publish the outcome of this consultation and to make available all responses received. If you want all, or part, of your submission to remain confidential, please clearly identify where this applies along with your reasons for doing so.
8.3. The closing date for responses is 26 January 2018, which is designed to allow the time necessary to issue notices regarding changes to the levy in good time for the start of the financial year on 1 April 2018.
8.4. Where possible, comments should be submitted in writing and sent by email to: firstname.lastname@example.org
Copies may also be sent by mail to:
Director of Corporate Services and Operations
Phone-paid Services Authority
25th Floor, 40 Bank Street
London E14 5NR
Tel: 020 7940 7405
If you have any queries about this consultation please telephone or email Peter Barker using the above contact details.
My response to the consultation. Feel free to use this as a model if you also wish to make a response.
Even if you have received a refund, you should still complain. It it contrary to the PSA Code of Conduct to sign people up for these services without their consent and these companies need to be shut down quickly. Your complaint may help others.
You can complain if you feel that the PSA guidance on consent to charge has not been followed.
Before complaining you need to know the following.
- The premium rate service the number relates to. This can be retrieved either from your text message confirmation or your phone bill.
- The name of the company providing the premium rate service.
- Your personal details, such as your name, address and contact details.
- The name of your phone or mobile network.
You do not need to attach a copy of your phone bill to make a complaint to PSA.
To make a complaint:
Go to the number checker on the PSA website: https://psauthority.org.uk/about-us/number-checker.
Put in the shortcode you are complaining about and click ‘Check it!’. You may need to complete a Captcha challenge in order to proceed to the next stage.
The next screen shows details of the company(s) responsible for the shortcode. Towards the bottom of the page there is ‘If you are unsatisfied with the outcome from the service provider, please get in touch with us here.’. Click on ‘here’ and you will be taken to the complaint form.
The more information you can include in your complaint, the easier it will be for PSA to take action.
If you find the online process too cumbersome you can complain by ‘phone on 0300 30 300 20 (Monday – Friday, 9.30am – 5pm, excluding bank holidays). This is charged as a normal landline call.
You can also contact them via Facebook messenger to ask questions, although you cannot submit a complaint this way.
If you still have problems making a complaint, contact me through this site for help.
If PSA try to discourage you from complaining, for example by insisting that you ask the company for details of how you signed up, be insistent. It is their job to investigate, not yours! Don’t forget you can message PSA on Facebook or Twitter and these conversations can be seen by the public!
You can also leave a review of PSA at https://www.facebook.com/pg/psauthority/reviews/
Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.
What is Payforit?
Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.
It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.
In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.
How does Payforit work?
Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)
Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.
With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.
So what’s the problem?
Briefly, when browsing or using Apps on a 4G network, this ‘service’ is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.
Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.
Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.
Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)
Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.
- Full rules of the Payforit scheme
- Article on rogue Apps in Google Play Store