Phone-paid Services – who does what?

One of the main reasons for Phone-paid Services being a target for fraudsters is the long and complex “value chain” involved in these services. Put simply, although your network charges you for these services, they don’t have a direct contractual relationship with the “service provider”.

There are two main charging methods used in the UK to implement charges. These are

  • PSMS (Premium SMS).

In this case you are charges for receiving texts from a “shortcode”. This is the method which has been in use the longest, and which has a long history of abuse. In our view this method is unsafe.  Consumers should never be charged for RECEIVING a text. Consumers often mistakenly believe that they can stop these charges by blocking the texts. This isn’t true! Because of the problems with PSMS, the networks developed:

  • Direct Carrier Billing (DCB).

Some networks refer to this as “Charge to Mobile” while others refer to “Charge to Bill”. Payforit, prior to abandonment was also a term used to describe DCB. In this case the charges are applied directly to your phone bill (which should then contain details of the charges). The charge is made at a network level and can only be blocked with a bar (offered by O2, EE and Vodafone, but not by Three). Texts are sent to notify the consumer of the charges, but these are not chargeable. These text messages are often mistaken as spam by consumers.

There are a number of parties involved in handling these payments, and most of them stand to profit from fraudulent transactions.

Let’s look at some of these parties.

  • Mobile networks

This is the simplest to understand. The Mobile Network Operators (MNOs) in the UK are Three, O2, EE and Vodafone. There are also many Mobile Virtual Network Operators(MVNOs). The MVNOs have no physical network of their own. Instead they use the physical network of one of the MNOs. For example, GiffGaff use the O2 network, Smarty use Three and Lebara use Vodafone. Not all MVNOs allow Phone payments, but where they do, the range of services is usually that of the underlying MNO. The networks contract with companies called “Payment Aggregators” or “Level 1 providers”. Networks can choose which Level 1 providers they wish to do business with, and are supposed to assess the suitability, honesty and reliability of these companies as part of their “Due Diligence, Risk Assessment and Control” (DDRAC). Networks take between 20 and 40% of phone paid charges as  fee for allowing these companies to access their payment systems and networks.

Networks benefit from an exemption to the Payment Services Directives (PSD2) which enable them to operate payment services without regulation from the Financial Conduct Authority.

This exemption is, however, quite limited.

The goods and services that fall under the exemption are:
 digital content, such as music and digital newspapers
 voice-based services, such as premium rate phone numbers
 tickets, and
 charitable activity such as donations
As the intention is for the exemption to be used for lower-value and micro-payments, individual transactions are exempt only if they do not exceed £40 and the cumulative value of payment transactions for an individual subscriber does not exceed £240 per month.

In the UK it has been assumed that this exemption can be “cascaded down” to the level 1 providers, allowing them to operate unregulated payment services.

However, according to the European Banking Authority, this view is wrong and the exemption should only apply to companies which have a direct communications contract with the consumer.

As part of their role in Phone Paid Services, the networks provide a facility known as MSISDN passthrough or MSISDN forwarding. Many consumers can’t understand how their  number was obtained in order to make charges. This is usually, but not always, the answer. The mobile network operator passes the MSISDN (mobile number) through the web page headers meaning no details need to be entered by the end user.

The networks often deny leaking customers numbers to third parties in this way, but this is because they don’t understand the system they are operating. MSISDN passthrough is part of the system and is entirely intentional.

Txtnation is one of the payment aggregators. This is their page explaining MSISDN forwarding.

This only works of course when you are accessing the internet through your MNO’s network. When using WiFi, you need to enter your number in order to charge services to your phone bill. There then needs to be verification that the number entered belongs to you, and this is normally done by sending a PIN to your phone. If this system isn’t in place, or doesn’t work correctly it becomes possible for any number to become “subscribed” to the service. There have been a number of recent cases where this has happened.

 

  • Payment Aggregators (Level 1 providers).

These are sometimes also referred to as Accredited Payment Intermediaries (API). Some prominent companies are TxtNation, mGage, ImiMobile, and Oxygen8. These are usually quite large, seemingly reputable companies. They form contractual relationships with the MNOs which allow them to make charges to phone accounts without the kind of checks which would be normal in a payment processing system. The networks perform no checks on the charges applied by the level 1 providers and simply assume them to be valid. The Level 1 providers are responsible for payment processing. They form the contractual link between the “service providers” and the networks. Under “Payforit”, the payment pages were served and handled by the Level 1 provider, and followed a standard format.

At a later stage, Payforit allowed for what were called “principles based” flow. This allowed service providers more flexibility in the design of the payment pages, although still subject to rules regarding the payment flow which SHOULD make it almost impossible for a third party to interfere with the payment process. With the demise of Payforit in December 2019, the system has become even more confused, as each network can now apply its own rules, with no standardised approach.

It is to be regretted that the opportunity to standardise Direct Carrier billing in the UK has been lost because of the inability of the networks to address Payforit fraud.

The role of the payment aggregators is crucial to the system. Although they purport to be reputable companies, some of these APIs have entered into very dubious contractual relationships with companies which have previously been found to be in breach of the rules.

We received this statement from someone who worked for one of the payment aggregators. We publish it “as is”. None of the information in it can be easily verified. However, we have no reason to doubt it’s authenticity. The payment aggregators lurk in the shadows, and many consumers are unaware of their existence.

In 2019, PSA finally took one of the aggregators (Veoo Ltd) to a tribunal. The evidence was damning. Veoo had applied charges to thousands of numbers for which there was no evidence of a lawful contract. Veoo sought to claim this was an administrative issue, but the PSA tribunal found that it was highly improbable that Veoo weren’t completely aware that they were unlawfully charging consumers.

The PSA adjudication can be seen here. 

We subsequently published our own commentary on this case.

Just as the networks are supposed to vet the Level 1 providers they do business with, the level 1 providers are supposed to perform Due Diligence, Risk Assessment and Control checks on the Service providers they allow to use their payment gateway. We see little evidence that this is happening.

There are signs that, after the Veoo adjudication, Phone-paid Services Authority intend to take a firmer approach with Payment Aggregators who are negligent in their DDRAC responsibilities. We hope this proves to be the case.

  • Service Providers (Level 2 providers)

These are the companies which provide the services for which consumers are charges. Sadly, by the time the other companies in the “value chain” have taken their cut, there is little money available to fund these services. The services vary considerably, but in almost every case a better service would be available for less money using an alternative payment method. Some services are a cynical attempt to exploit the system by offering “alerts” for deals which can be obtained free of charge by going online. Another service which came to our attention was one which offered online access to a number of “Classic books”. All of them were available online for free because they were out of copyright! Of course, we believe i a free market and consumers should be free to pay for services like this if they choose to do so. However, when large numbers of consumers complain of becoming “subscribed” to services like these without their consent, PSA needs to investigate quickly and thoroughly.

One of the problems with the service providers is that they can currently be located anywhere in the world. While theoretically subject to the PSA Code of Practice and UK Law, in reality they are very difficult to hold to account. We’d like to see PSA require a UK company to be accountable for all these services, so that consumers can go to the Small Claims court if dissatisfied.

  •  Affiliate Marketers

Affiliate marketers are probably the weakest link in the “value chain”. These companies (often individuals)  receive a fee for each signup they obtain to the service. They are contracted with the service provider, but often through yet another third party. As a result, when PSA identify an affiliate marketer as being implicated in breaches of their code, they are unable to identify the culprit. Even if the affiliate marketer responsible can be identified, PSA don’t have any power to pursue them. PSA have countered this by insisting that service providers must take full responsibility for the promotion of their services, whether or not they employ affiliate marketers.

All of the above parties are paid according to the volume of sales, so they all stand to gain from fraudulent activity generating additional payments.

There are also some other parties involved in these transactions.

  • Customer Services Companies

The service providers, as part of providing their service, are required to provide customer support during working hours, Monday to Friday.  In order to do this, they often employ a customer service company to handle customer service. Of course the largest part of this is handling customers who complain of being subscribed without their consent. These companies vary greatly in quality, with some making a genuine effort to help, while others are clearly expected to deflect complaints away from the service provider and make it almost impossible to pursue a complaint.

  • Verification Services

These are crucial to the integrity of the system and are supposed to be completely independent of the other parties in the transaction. These companies are tasked with recording the details of transactions with consumers in such a way that there is an indisputable record of the interaction between the consumer’s handset and the service’s signup pages. There are a number of issues with this. Firstly, clickjacking and iFraming can be used to disguise the signup pages, so that when the consumer clicks, for example to close a pop-up, they are actually clicking the box agreeing to s subscription. A report into this, produced for BBC Watchdog is here.  An example of a case where PSA found iFraming to be responsible for unlawful charges is here.

A second method by which fraudulent charges can be made is through the presence of malware on the consumer’s handset. PSA warned of this risk in April 2018, although firms were being caught and fined for using this method as early as 2014..

The problem is that fraudulent charges made in these way are difficult, if not impossible, to distinguish from valid charges accepted freely by the consumer. PSA have recently introduced a requirement for PIN verification of such charges, which should make it much more difficult to use exploits like these to make charges without a consumer’s consent.

There have, unfortunately,  been issues with these PIN verification services. In one case the PIN was displayed on the signup page, making it possible to sign any valid number up to a “subscription” with the service. In another case, although a PIN was sent by text, we discovered that entering “0999” into the PIN box always passed verification.

We don’t know whether these security breaches were the result of sloppiness on the part of the verification companies or the payment aggregators, or part of a deliberate attempt to create unlawful charges. As always in these cases, it is hard to put the blame on any one party, although evidence exists that something was seriously wrong.

The Veoo case referred to above was primarily the result of service providers moving from one payment aggregator to another. The service providers gave Veoo a list of the phone numbers of the subscribers to their service. Veoo should have verified with the verification service that they held verification information to validate these subscriptions. In reality, no verification was held for the vast majority of these numbers.

A further weakness is the failure of  payment aggregators to end to end encryption for these transactions. All reputable payment processors use end to end encryption (https protocol) to avoid the possibility of a transaction being interfered with by a third party interposing themselves between the payment processor and the consumer. We have no evidence that this has happened, but it is clearly a weakness that payment aggregators continue to use the insecure http protocol for internet transactions.

The vulnerability of the long value chain involved in Phone payment has been recognised for years, but nothing has been done about it.

Para 6.78 of the Ofcom 2012 review of PRS services states:

6.78 This scam demonstrates how a fragmented supply chain, with separation between the service provider and the billing party, can be exploited in an (unlawfully) opportunistic way. The greater transparency of PFI services would not prevent this harm. Rogue software can be embedded in such a way as to circumvent any verifiable method of consumer consent to charges (like a PFI checkout).

We believe that the networks need to take more responsibility for phone-payment. After all, if the consumer refuses to pay a PRS charge, it is they who enforce it – even though they have no proof that the charge was lawful.

Networks should be required to have proof of consent to charge BEFORE passing these charges on. If a consumer queries a charge with their credit card company or with Paypal, they will able to tell them EXACTLY how, when and where they consented to those charges. The same should apply to phone-payment. Networks should hold evidence of consent to charge and provide it to the customer without delay when a charge is queried.

Alternatively, if the networks refuse to take on this responsibility and wish to continue with the pretence that the charges are nothing to do with them, there needs to be a chargeback system. They should refund the charges to the consumer and it should be left for the service provider to pursue the debt, if they can evidence it. Networks should not be enforcing charges they cannot substantiate.