This consultation is now complete. The PSA have published a report based on it. The report is here.
The various responses, including the payforitsucks.co.uk response can be seen here.
The payforitsucks.co.uk response has been redacted. The unredacted version can be seen below.
The report is quite encouraging. It fails to fully recognise the extent of Payforit fraud, maintaining the pretence that most complaints are the result of “inadvertent” subscription rather than fraudulent subscription. However, it does recognise that, the levels of complaints arising from abuse of the Payforit mechanism are unsustainable.
The most important result is that PSA are now consulting on a proposal to amend the rules to require 2 factor authorisation for all Payforit subscriptions.
The proposal is here.
There is a response form for responding to this consultation. I’ll post my advice concerning this within the next few days. Please do respond. The PSA need to understand that they now HAVE to act.
My response
Q1: What are your views on the review objectives set out on page 4? Has the PSA got the right scope or are there areas the PSA should include or exclude?
Unfortunately, current consumer experience with Phone-paid subscription services is overwhelmingly negative. It is hard to find any positive reviews of these services online. A look at the Trustpilot reviews of SB7 Mobile Ltd and Lasevia Ltd will show numerous negative reviews from consumers who believe themselves to be defrauded and not a single positive review (at the time of writing). Indeed, SB7 Mobile Ltd have sought to suppress valid criticism, rather than answer it.
This suggests that compliance with the regulatory framework is failing to protect consumers from harm or that compliance is not being properly monitored or enforced.
Q2: Some subscriptions generate high levels of complaints, whereas others with similar numbers of subscribers generate very few. Do you have any views on the regulatory measures that would better support growth and innovation across the subscriptions, whilst ensuring consumers are protected from harm?
Whilst being aware that there are other subscription methods (which generate few complaints), the main source of consumer harm appears to be subscriptions collected via ‘Payforit’ .
Payforit is an archaic and inherently insecure payment mechanism. It has not adapted to reduce the incidence of fraud as other payment mechanisms have. It doesn’t have a centralised service for complaints and disputes. It doesn’t have a refund mechanism. PSA are well aware of these shortcomings, but do nothing to encourage reform. They know that malicious code in a web page, or in a downloaded App can sign users up to these services, without the consumer being aware that it has happened. They have been aware of the use of these exploits for several years, but nothing has been done to prevent them. They sit on their hands instead of being proactive in bringing these frauds to a halt.
Consumers will compare the consumer protection offered by phone paid services with those of other payment methods (Paypal, Contactless Payments, Direct Debits, Credit Cards, Debit Cards etc). The providers of all these payment methods provide clear mechanisms for the resolution of disputed transactions. Payforit and other direct operator billing methods offer no clearly defined or published mechanism for the resolution of disputes.
If I dispute a direct debit with my bank, the burden of proof will rest on the payee to prove that the debit was authorised and not with the payer to prove that it wasn’t! If I report fraudulent transactions to my bank, they will take the matter seriously and put a stop on any further fraudulent payments. The MNOs don’t even offer this minimal level of support. Instead, they ask the consumer to send a message to the fraudster asking them to STOP. To add insult to injury, they are charged for sending this message!
Alternative payment mechanisms also offer a simple refund mechanism. The Consumer Rights Act 2015 and the Consumer Contracts Information, Cancellation and Additional Charges) Regulations 2013 both insist that refunds should be made to the account from which the money was originally taken, unless the consumer agrees otherwise. These laws are disregarded by ‘Payforit’ and PSA have indicated that they don’t consider compliance with these laws to be within their remit!
The fact that the ‘Payforit’ mechanism appears to be unable to provide refunds to consumers’ phone accounts makes the receipt of refunds difficult for consumers. I am aware of two methods currently being used for the majority of refunds:
- Post Office text based postal order. This has the advantage that the refunding company does not need any additional personal information from the consumer. It is the nearest thing they seem to be able to do to refunding to the consumer’s phone account. However, bearing in mind that the refunds are often for amounts less than £10, the method is disproportionately inconvenient for the consumer. I suspect that a large number of these refunds are never cashed! My wife received refund by this method and she almost lost the will to live while waiting in the Post Office queue, for a £4.50 refund!
- A bank transfer. At the stage at which a refund is agreed, the only piece of personal information the company making the refund has is the phone number involved. Unless it has been willingly given, it doesn’t have any other personal data relating to the person claiming to own the phone number. In order to establish that the phone number which is the subject of the refund actually belongs to the consumer claiming it, it needs to ask for further personal information. Usually a phone bill or some similar document is requested. Some companies omit this step. This omission could be a breach of data protection legislation, as they have no way of being sure that the person they are refunding is the owner of the phone number from which the charges were original taken.
To obtain a refund, the consumer then has to provide bank details to a company which, as they see it, has already defrauded them. Some consumers are dissuaded from claiming a refund because of the amount of (unnecessary) personal data they are asked to supply. If it were possible to simply reverse the original charges, there would be no need for any additional personal information to be supplied.
To illustrate my concerns, I have reproduced below a few recent Social Media comments regarding the refunds issue:
the word stop is the only fix for this and costs 10p as for phoning waste of time and they could ask him for his bank details to give the credit back would you give them your bank details as I wouldn’t.
_______________________________________________________________________________
Lastly, I have just received a text from this scam company saying “We tried to call you back (I did get a missed call). the service has been STOPPED and a Goodwill refund to be issued. ” It goes on to say a refund will be received by SMS within 5 days and I should take it to the Post office who will give me a cash refund. Is this for real?
________________________________________________________________________________
They have now sent me a email agreeing to refund me via a text message that I would have to take into the Post Office to get a refund, they added it can take 10 – 7 days for this to happen, at the moment I have not replied this is clearly not satisfactory in my way thinking, they should return the money direct to my phone balance, I’m in a dilemma do I have to accept a refund this way or not, has anyone else got a refund direct to their phone balance.
________________________________________________________________________________
If someone else was also scammed: I just called the number 02071369911 and then pressed 3 and was connected to a lady that said she is in Belgrade, Serbia. She said she would cancel my subscription. I also gave her my email address, and then I received an email from info (at) jamster (dot) co (dot) uk saying that if I want a refund of my £4.50 I have to write back providing them with:
– Full name of the bank account holder
– Bank name
– IBAN (International Bank Account Number). UK IBANs start with GB and are 22 characters long.
– SWIFT-BIC (Branch Identifier Code) – The SWIFT-BIC code is either 8 or 11 characters long.
Do you think it is safe to give them this information?
______________________________________________________________________________
It is totally illogical that they are able to take money from my giffgaff account, but cannot put it back there, the same place they took it from, and then need my bank details. I decided to take a risk and gave them the information they asked for, since I heard that banks are required by law to refund customers, if unauthorized withdraws are made.
Jamster sent me an email, saying I should see the £4.50 refund on my bank account in 20 days. Let’s see.
_______________________________________________________________________________
They said
“Nevertheless, as the entry was cancelled so soon after being confirmed, as a gesture of goodwill we will refund you £4.50. Your refund will be sent to you in the form of a text message from the Post Office on Friday 15th June 2018 and it will clearly state the Post Office as the sender. Once you receive your text message you can take this to any Post Office branch at your convenience. There’s a unique barcode, which is valid for 30 days, within the message and all you have to do is to present the message over the counter and they will give you your funds there and then in cash.”
Are they serious?
______________________________________________________________________________
I would just like to give an update regarding the scam text I received. Following advice given on here I replied STOP to the short number and called the help number. Left a message stating that the subscription was unsolicited and requested a refund. I also lodged a complaint with the PSA. I received a text today giving a bar code number to be shown at any Post Office to claim back the £3 that was taken from my airtime. I did this and the Post Office gave me my £3 back. Thanks again for your help
______________________________________________________________________________
We did eventually get a refund, it took about six weeks to arrive, and came in the form of a text message which had to be taken to the post office! Unbelievable!
To obtain a refund, ‘Payforit’ requires the consumer to negotiate directly with the originator of the charge. What is worse is that, if the recipient of the payment fails to respond, there is no process to follow to resolve the issue. In the absence of a defined process, these uncooperative companies continue to trade for months, until the volume of complaints is such that PSA cannot ignore them.
It is not the role of PSA to adjudicate on individual disputes. However, it could insist on the introduction of a mechanism by which consumers can receive swift refunds when they are defrauded by rogue companies. Much of this could be automated, as it is with other payment mechanisms.
The problem is not that fraud happens. It will happen to some extent with any payment system regardless of the security and authentication measures put in place. Fraudsters are continually refining their methods and finding new ones. Most payment systems respond to attempted fraud by putting effort in to fraud prevention, but this has not happened with ‘Payforit’.
The problem is the lack of any defined process for the consumer to resolve their complaint (within a reasonable timescale) and obtain a refund if one is adjudged to be appropriate. Current arrangements would appear to be in breach of the Consumer Rights Act 2015 as it applies to digital services, in terms of methods and timescales for dealing with consumer complaints, and in terms of the refund process.
Large numbers of consumers have experienced unexpected charges as a result of these ‘Payforit’ subscription services. Although the amounts involved are usually small (£4.50 per week or less), the companies take advantage of the fact that many consumers do not check their bills, and many consumers lose significant amounts. This ‘cramming’ fraud has been a persistent problem, not just in the UK but in many other countries. In the USA and Australia, there have been a number of high profile cases where MNO’s have been held accountable for fraudulent subscriptions.
https://www.itnews.com.au/news/telstra-hauled-before-court-over-premium-mobile-billing-487699
Many consumers have experienced great difficulty in getting fraudulent subscriptions stopped. The ‘Payforit’ system can be very confusing, particularly for consumers who do not receive an itemised bill. The text containing the subscription is often deleted as spam. The ‘payforit’ receipt text does not say which service it relates to. The number to which STOP is to be sent is often different to the number from which the subscription text was sent. The problem is often made worse for PAYG customers who do not receive an itemised bill.
There is no disputes mechanism. Many consumers have been successful in getting a resolution using the UK Small Claims procedure, but this is not available for companies based outside the UK. Currently the EU Small Claims procedure is an option for companies based in EU countries, but this may not be available after March next year. It is not acceptable that defrauded consumers are unable to seek redress because of the high costs of taking proceedings in a foreign court.
There needs to be an independent ombudsman to consider all cases where consumers claim to have been fraudulently charged. Given the ease with which these frauds can be perpetrated, and the inability of the regulator to recognise them, a refund should be given unless there is clear evidence that the consumer knowingly and intentionally entered into a contract.
Direct carrier billing currently enjoys a limited exemption from the requirements of the Payment Services Directive v2 (PSD2).
In fairness, direct carrier billing services should be subject to the same regulations as the payment services they are competing with. The directive provides additional safeguards to consumers. It reduces their potential losses from fraud, and requires the Service Providers to provide robust, two factor, authentication. The directive also forces Payment Service Providers to provide a proper dispute mechanism. Consumers using ‘Payforit’ are denied the additional protection these safeguards would have afforded them.
In February this year, EE , to their credit, introduced a system requiring a two factor authorisation with PIN for all subscription services. (PSA currently only require this for services charging more than £4.50 per week). There has been a dramatic reduction in complaints of fraudulent subscriptions from EE customers. This suggests that EE’s approach has worked. As a minimum, PSA should introduce a Special Condition requiring this for all networks.
It is notable, that although PSA currently recommend the use of two factor authorisation with PIN for services costing £4.50 or less per week, this is ignored by most, if not all, providers. I do not believe this to be accidental, as two factor authorisation with PIN will defeat most of the exploits currently used to implement fraudulent subscriptions.
Q3: Do you agree that different subscription services may require different regulatory responses? Do you have any thoughts on what this variation could look like?
Unfortunately, Phone-paid Services subscriptions have had a high level of fraud complaints for many years. The move from PSMS to ‘Payforit’ resulted in a temporary drop in these complaints, but these have since increased again. It is probably true to say that as soon as one door is closed, the fraudsters will find another. This means that it is likely that, given time, the fraudsters will find a way of circumventing any protection put in place.
There are two possible solutions:
- More speedy and robust application and adaptation of the code of practice to protect consumers as soon as a problem is identified. Currently, one service has been causing a high volume of complaints since the beginning of May. At the beginning of October, it is still operating and generating the same high level of complaints while PSA conduct a lengthy ‘investigation’! A speedy and robust response to problems like this would help protect consumers by removing the fraudulent service before significant damage is done.
or
- A speedy, impartial and simple method of resolving disputes and providing refunds to consumers for charges where consent cannot be indisputably proven. This could be funded by a charge to the service for each case referred, so encouraging these companies to behave responsibly. It would not be fair for these costs to be shared evenly between services since, as you have stated, some services generate much larger levels of complaints (and currently lack any concern about this!)
In view of the current inability of the PSA to protect consumers from scam subscriptions, and their failure to robustly apply the code of practice, my preference would be for all services to be required to be members of an independent ADR scheme. Funding for this scheme could be obtained by a charge to the service provider for each case referred to the scheme.
An alternative approach might be to raise the bar for entry in to this ‘industry’.
Where a subscription service carefully monitors usage of the service, and offers speedy refunds when the service has not been used (or has been used only once at the time of subscription), then the current levels of regulation might be appropriate. If service providers have a reputation to protect, they are unlikely to indulge in the practices that are currently bringing phone-paid services into disrepute.
In Australia, where most third party subscriptions can no longer use direct carrier billing, some services, such as Google Play and Netflix, have been allowed to continue. By only allowing authorised, reputable companies to access the payment mechanism, the risk of consumer harm is much reduced.
Q4: Is there any other information or evidence that you would like to provide to PSA to assist it to undertake more detailed analysis of the existing framework, including around where you see subscriptions heading?
It is clear from the numbers of recent cases that the current ‘Payforit’ system is highly vulnerable to fraud. Furthermore, PSA are, on their own admission, unable to tell the difference between a legitimate signup and one caused by malicious code.
OFCOM, in 2012, wrote:
Internet diallers
6.77 During 2004 PP+ received 57,743 complaints about services using internet dialler software. These included consumers being misled into clicking on an icon or banner, or accessing a website, which, without their knowledge, would trigger the download of software to their PC. That software then used their internet dial-up account to call premium rate numbers operated by the dialler software’s owner.
6.78 This scam demonstrates how a fragmented supply chain, with separation between the service provider and the billing party, can be exploited in an (unlawfully) opportunistic way. The greater transparency of PFI services would not prevent this harm. Rogue software can be embedded in such a way as to circumvent any verifiable method of consumer consent to charges (like a PFI checkout).
It follows that any supposed ‘consent’ from a consumer has to be viewed with suspicion, especially when that consumer is adamant that they did not consent. PSA seem too willing to accept such ‘proof’ of consent unquestioningly, and place the burden of proof on the defrauded consumer rather than the service provider. The system needs to be reformed so that automatic refunds are provided unless the service provider can prove consent indisputably. (currently not possible for the reasons above).
Some ‘services’ for example those operated by SB7 Mobile Ltd and Lasevia Ltd appear to have been created solely to exploit this vulnerability. Trustpilot reviews of these service are enlightening.
https://uk.trustpilot.com/review/sb7mobile.com
https://uk.trustpilot.com/review/lasevia.com
There is no evidence that these services have any genuine subscribers, and a great deal of evidence that they are causing consumer harm (despite the efforts of SB7 Mobile Ltd to suppress valid criticism on Trustpilot). Services like these damage the reputation of the entire industry.
The vulnerability of ‘Payforit’ makes it a target for fraudsters. A look at some of the services will show that many of them are ridiculously poor value for money.
Take Lasevia’s Books4You service. You can read 50 ‘Classic books’ (for Classic read out of copyright) for £4.50 per week (equivalent to nearly £20 per calendar month) They don’t even tell you what the books are before you sign up! Compare this with Amazon’s Kindle Unlimited offering at £7.99 per month,
‘Services’ like this are not set up to provide a ‘service’ to consumers. They are set up to exploit the vulnerabilities of the Payforit system. I’m sure there are a few legitimate services which consumers find useful, but I can’t find them, nor any consumers extolling their virtues.
Companies that genuinely wish to provide a service to consumers should be putting pressure on the PSA to put an end to the fraud and clean up the industry.
The Phone-paid Services industry needs to modernise and provide the levels of consumer support and fraud prevention that are expected of modern payment mechanisms. Consumers should be able to report problems with these subscriptions to their networks and have them dealt with in one phone call, not be passed from pillar to post in an effort to get a resolution. The fact that the networks process these, often fraudulent, transactions and then claim to be unable to refund or even stop them does not sit well with consumers.
Consumers should be able to opt out of the ‘Payforit’ system and not have their numbers passed automatically to third parties when they click a link on a website. The only way this can be achieved currently is by the consumer using a VPN or by restricting internet access to WiFi connections. There is no need for consumers numbers to passed to third parties in this way. It is quite possible to sign up to a phone-paid subscription on a wifi connection, but because the process is more transparent fewof the complaints I receive relate to signups over WiFi. Some may wish to avail themselves of the ability to sign up for subscription services without ‘friction’. Those people should have to opt in.
Consumer should also be able to opt out of third party charges to their account. Currently this is not offered by all UK networks, but is a legal requirement in many other juristictions such as Germany. MNO’s should not be allowed to offer access to these subscription services without also offering an ability to bar access to them. Charge caps on mobile phone contracts should also be required to apply to these charges.
I would go a stage further and suggest that consumers should have to opt in to the ability to subscribe to these third party services (in the same way as currently happens for adult services). There would be two major advantages to this:
- By having to opt in, consumers would be made more aware of the fact that clicking links on websites could result in unwanted subscriptions.
- Children and other vulnerable groups could be protected from harm. Many complaints relate to children or vulnerable adults becoming subscribed to Phone-paid services. Parents want to be able to give their children a phone without the worry of them running up unexpected bills. Many consumers believe that by blocking premium calls/texts, or by putting a spending limit on an account they can protect themselves but, as PSA are well aware, that is not the case.
In Australia, where there have been ongoing problems with ‘charge to bill’ or ‘cramming’ fraud, the networks were eventually forced by public opinion (and potentially expensive law suits) to limit the use of ‘charge to bill’ to large companies with good customer service.
https://www.telstra.com.au/mobile-phones/moreonyourmobile/premium-direct-billing-exit
The same could happen here if the industry does not put its house in order! There are many other, more secure, payment methods which could be used to pay for such services. There is no evidence that the benefits of the simplicity of ‘Payforit’ justify the high levels of consumer harm caused by the exploitation of its vulnerabilities.
If consumers are not to be properly protected, I would prefer to see legitimate services moving to these other payment mechanisms, and Phone-paid subscriptions abandoned as they have been in Australia.
