Payforit Sucks – Here’ s Why

Welcome

Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.

What is Payforit?

Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.

It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.

In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.

How does Payforit work?

Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)

Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.

With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.

Stop Payforit helping thieves

So what’s the problem?

Briefly, when browsing or using Apps on a 4G network, this ‘service’  is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.

Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.

Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.

It is also very easy to simulate a user clicking or tapping a button using Javascript. Javascript is client-side (meaning that it runs on your device) code used widely on the internet to provide interactivity with websites. Payforit  can’t tell whether a user willingly clicked or tapped a button, or whether it was done with Javascript code, without the user’s consent. In both cases it will pass the consumer’s phone number to the website and allow them to make charges against it. (2)

Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)

Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.

References

  1. Full rules of the Payforit scheme
  2. Adjudication from PSA showing use of Javascript exploits
  3. Article on rogue Apps in Google Play Store

 

4 Replies to “Payforit Sucks – Here’ s Why”

  1. Hi…. I’m a victim of this Payforit scam, how do I stop it? I’m being charged £4.50 every week. I’ve tried to text ‘Stop’ to them but message won’t send.

    Please help as I need this to stop.

    Many thanks!

    Craig

    1. Craig,

      There should be a customer service number in the subscription text. I This should be a standard (non-premium) number. Call them to cancel the fraudulent subscription and to demand a refund.

  2. My daughter was playing a game clicked the x to get out of a pop up and was immediately subscribed to fuse forge games £13.50 was added to my phone bill and a further £4.50 will be taken, I phoned vodaphone to get sorted they put an mpay bar on my phone to stop this they have also refunded me half the money.if I had of phoned the number listed with the website it prob would have cost around £15…disgraceful these people are scamming us out of our hard earned money through a click of a button…

Comments are closed.

With the demise of Payforit, and a PSA consultation on a new Code of Practice for Phone-paid Services, we have decided to launch the Phone-paid Services Consumer Group (PSCG). You can visit the new website by clicking here. IF you need help, please contact us via the contact link on the new website.
Follow by Email
WordPress Appliance - Powered by TurnKey Linux