Payforit Sucks – Here’ s Why

Welcome

Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.

What is Payforit?

Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.

It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.

In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.

How does Payforit work?

Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)

Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.

With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.

Stop Payforit helping thieves

So what’s the problem?

Briefly, when browsing or using Apps on a 4G network, this ‘service’  is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.

Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.

Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.

It is also very easy to simulate a user clicking or tapping a button using Javascript. Javascript is client-side (meaning that it runs on your device) code used widely on the internet to provide interactivity with websites. Payforit  can’t tell whether a user willingly clicked or tapped a button, or whether it was done with Javascript code, without the user’s consent. In both cases it will pass the consumer’s phone number to the website and allow them to make charges against it. (2)

Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)

Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.

References

  1. Full rules of the Payforit scheme
  2. Adjudication from PSA showing use of Javascript exploits
  3. Article on rogue Apps in Google Play Store

 

O2 GDPR Letter


Telefónica UK Limited
 Correspondence Department
 PO BOX 694
 Winchester
 SO23 5AP

DPO@O2.com

 Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have recently been the victim WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that GiffGaff supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

In my own case I became subscribed to ..

[Give details of your own case. Include the name of the company, the name of the service, the amount you lost, and any problems you had obtaining a refund.]

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that O2 may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without O2 compromising my phone number in this way.

If mine was an isolated case I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem take a look at these links:

https://uk.trustpilot.com/review/lasevia.com

https://uk.trustpilot.com/review/www.ferdamia.com

https://uk.trustpilot.com/review/sb7mobile.com

https://uk.trustpilot.com/review/nuyoo.co

https://uk.trustpilot.com/review/fitguru.tv

https://community.o2.co.uk/t5/Pay-Monthly/Nexgen-Ltd/m-p/1197558

https://community.o2.co.uk/t5/forums/searchpage/tab/message?q=payforitsucks&sort_by=-topicPostDate&collapse_discussion=true

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

I think you’ll agree that the scale of the problem is quite shocking and that something needs to be done.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request on the O2 forum for a similar measure has so far fallen on deaf ears. https://community.o2.co.uk/t5/Discussions-and-Feedback/Premium-rate-services-petition-to-O2/td-p/1188385/highlight/false

It is largely as a result of your failure to protect customers from harm that I am making this complaint.

It is largely as a result of your failure to protect customers from harm that I am making this complaint. Under the Payforit rules, customers are supposed to be able to “escalate” Payforit disputes to you in the event that they are unable to get a satisfactory resolution for the “service provider”. This method of redress is being routinely denied by your Customer Services staff.

Payforit is a method of charge to mobile. The words of reassurance on your website ring rather hollow.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening!

There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumer’s phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [Your Phone No.].

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR Template Letter for GiffGaff


Data Protection Officer
Giffgaff Ltd
Belmont House
Belmont Road
Uxbridge
UB8 1HE

Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have been helping numerous consumers who have been the victim of WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that GiffGaff supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that GiffGaff may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without GiffGaff compromising my phone number in this way.

We are not dealing with a few isolated cases here. If we were I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem on the GiffGaff network, follow this link: https://community.giffgaff.com/t5/forums/searchpage/tab/message?q=payforit&sort_by=-topicPostDate&collapse_discussion=true

I think you’ll agree that the scale of the problem, on GiffGaff’s network  at least, is quite shocking!

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request for GiffGaff to take similar measures has fallen on deaf ears! https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts?c=1#c86719 It is largely as a result of your failure to protect members from harm that I am making this complaint.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening! There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumers phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition to asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number 07803 XXXXXX.

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR issues

It has become apparent that the passing of phone numbers via the Payforit API could be considered a breach of GDPR. There is no guarantee that such a challenge will succeed, but I can see no good reason not to try. The regulations around this are complex and are often misunderstood. Victims of Payforit scams are often convinced that a breach of GDPR has occurred because they never gave explicit consent for their phone number to be given to third parties. If only it were so simple!

There are six bases on which personal data may be lawfully processed under GDPR. These are described as follows by the ICO:

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The two bases most likely to apply are “Consent” and “Legitimate interests”. As explicit consent has not been sought, it seems inevitable that the networks will try to justify their processing using the “legitimate interests” basis.

This is where things get a bit complicated. The networks do have legitimate interests in passing your phone number to third parties when, for example, you use a directory enquiries service, or make a text donation donation to children in need, or even when you make an international call which is handled by a third party. This use is entirely legitimate. Our phone service would cease to function if data wasn’t transferred in this way.

The case of the Payforit API is different. The processing is not necessary, as it is quite possible to sign up for phone-paid service without your number being supplied by your network.

The ICO requires that for use of the “legitimate interests” basis a three part test is applied:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

The networks are likely to argue that reducing “friction” in the purchase of Phone-paid Services is a legitimate interest, so the Purpose test will be passed.

The Necessity test is more complex. It is NOT necessary for the networks to pass phone numbers to third parties through the API. They do it because it makes things a little simpler for the consumer. However it is not necessary.

The Balancing test is where I believe the networks will loe the argument. There is a great deal of evidence that the disclosure of consumers phone numbers through the Payforit API is causing consumer harm. This harm surely outweighs the minor incovenience of an extra step for consumers who really want to sign up for these services.

Indeed, it is hard to see any reason why consumers should not be allowed to opt-out of having their phone numbers passed to the API.

It is likely that the networks will try to confuse the issue by talking about the more general issue of passing data to third parties. In any complaint it will be necessary to be absolutely clear that we are talking about the Payforit API and nothing else.

GiffGaff Letter

I have drafted a letter which I will be sending to GiffGaff’s Data Protection Officer, highlighting my concerns.

This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.

O2 Letter

This is a letter which you can use to make a GDPR complaint if you have been defrauded via Payforit. You will, of course need to amend it to suit your own situation, but it contains the essential framework to ensure your complaint is taken seriously.


This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.

Phone-paid Services Authority consultation on subscription services

This consultation is now closed, so you will be unable to respond. The post is not being removed and will be updated when the result of the consultation is known.

 

The PSA are currently consulting on subscription services. Although the PSA have shown themselves to be ineffective as regulators and usually support the scammers at the expense of consumers, this represents an opportunity to do something to stop these scams.

Please respond to this consultation as a concerned consumer. This represents an opportunity to voice your disgust at the ‘Payforit’ system. Feel free to copy my own response (below), make up your own or to modify mine in any way you wish.

My response is currently a draft. If you have ideas for improving it or adding to it, please add a comment to the post and I’ll try to take it into account.

The closing date for responses is 15 October 2018.
Comments need to be sent , by email to consultations@psauthority.org.uk
or by post to:
Ms Emma Bailey
Phone-paid Services Authority
25th Floor,
40 Bank Street
Canary Wharf
London
E14 5NR

If enough consumers make representations concerning the poor regulation of these services, it might be possible to force changes.

The consultation document is here. Note the following important details:

  • Representations are more likely to be taken seriously if they conform to the specification provided in the document. Include supporting evidence from your own case and from similar cases found online.
  • PSA plan to publish all responses received, If you want all, or part, of your submission to remain confidential, please clearly identify where this applies along with your reasons for doing so.  You could for example, ask that your personal details are removed from anything they publish.

The questions as specified are:

Q1: What are your views on the review objectives set out on page 4? Has the PSA got the right scope or are there areas the PSA should include or exclude?

The objectives as stated are:

– consumers having the confidence to use the phone-paid subscriptions that they want
– the market is thriving and innovative – consumer interests are furthered through encouraging competition and innovation – there is the ability for existing services to operate effectively as well as for new services to enter the market
– there is compliance with the regulatory framework for subscriptions. This means that consumers are protected from harm in the market.

Your response could point out that in this ‘thriving market’, companies like SB7 Mobile and Lasevia Ltd are managing to acquire very negative reviews, with no consumers reporting a positive experience!

There is therefore ample evidence either that compliance with the regulatory framework is failing to protect consumers from harm or that compliance is not being properly monitored or enforced.

A reference to the Trustpilot reviews of these companies might be appropriate.

It is also worth pointing out that consumers have confidence in payment mechanisms which have clear disputes and refunds procedures.  Payforit has neither! Consumers also have more confidence, when they feel that they will be treated fairly in the event of a problem. By continually failing consumers, ‘Payforit’ has obtained a bad reputation in this respect.

Q2: Some subscriptions generate high levels of complaints, whereas others with similar numbers of subscribers generate very few. Do you have any views on the regulatory measures that would better support growth and innovation across the subscriptions, whilst ensuring consumers are protected from harm?

You could suggest various measures here.

i) That all subscriptions require two factor authentication.

ii) That phone numbers are not passed to third parties for charging purposes without explicit consent. Removing this ‘feature’ from internet access via mobile data would remove the root cause of many of those problem. ‘Payforit’ transactions would then always follow the WiFi processing paths.

iii) That all networks are required to provide a facility to opt out of ‘charge to bill’ services, and that all new contracts should require customers to opt in to these services if they wish to be able to use them.

Q3: Do you agree that different subscription services may require different regulatory responses? Do you have any thoughts on what this variation could look like?

I see no reason for services to be treated differently, but they should ALL provide an independent disputes procedure or ombudsman service. If this procedure was funded by a charge on each case referred, this would provide an incentive for services to treat consumers fairly and punish those services which fail to do so.

Q4: Is there any other information or evidence that you would like to provide to PSA to assist it to undertake more detailed analysis of the existing framework, including around where you see subscriptions heading?

A reference to what has happened in the USA and in Australia might be worth making. In the USA, networks have been fined heavily for ‘cramming’ scams. In Australia, the networks have been forced to abandon ‘charge to bill’ for subscription services after the threat of legal action and a great deal of public concern.

My draft response

Q1: What are your views on the review objectives set out on page 4? Has the PSA got the right scope or are there areas the PSA should include or exclude?

Unfortunately, current consumer experience with Phone-paid subscription services is overwhelmingly negative. It is hard to find any positive reviews of these services online. A look at the Trustpilot reviews of SB7 Mobile Ltd and Lasevia Ltd will show numerous negative reviews from consumers who believe themselves to be defrauded and not a single positive review (at the time of writing). Indeed, SB7 Mobile Ltd have sought to suppress valid criticism, rather than answer it.

This suggests that compliance with the regulatory framework is failing to protect consumers from harm or that compliance is not being properly monitored or enforced.

 

Q2: Some subscriptions generate high levels of complaints, whereas others with similar numbers of subscribers generate very few. Do you have any views on the regulatory measures that would better support growth and innovation across the subscriptions, whilst ensuring consumers are protected from harm?

Whilst being aware that there are other subscription methods (which generate few complaints), the main source of consumer harm appears to be subscriptions collected via ‘Payforit’ .

Payforit is an archaic and inherently insecure payment mechanism. It has not adapted to reduce the incidence of fraud as other payment mechanisms have. It doesn’t have a centralised service for complaints and disputes. It doesn’t have a refund mechanism. PSA are well aware of these shortcomings, but do nothing to encourage reform. They know that malicious code in a web page, or in a downloaded App can sign users up to these services, without the consumer being aware that it has happened. They have been aware of the use of these exploits for several years, but nothing has been done to prevent them. They sit on their hands instead of being proactive in bringing these frauds to a halt.

Consumers will compare the consumer protection offered by phone paid services with those of other payment methods (Paypal, Contactless Payments, Direct Debits, Credit Cards, Debit Cards etc). The providers of all these payment methods provide clear mechanisms for the resolution of disputed transactions. Payforit and other direct operator billing methods offer no clearly defined or published mechanism for the resolution of disputes.

If I dispute a direct debit with my bank, the burden of proof will rest on the payee to prove that the debit was authorised and not with the payer to prove that it wasn’t! If I report fraudulent transactions to my bank, they will take the matter seriously and put a stop on any further fraudulent payments. The MNOs don’t even offer this minimal level of support. Instead, they ask the consumer to send a message to the fraudster asking them to STOP. To add insult to injury, they are charged for sending this message!

Alternative payment mechanisms also offer a simple refund mechanism.   The  Consumer Rights Act 2015 and the Consumer Contracts Information, Cancellation and Additional Charges) Regulations 2013 both insist that refunds should be made to the account from which the money was originally taken, unless the consumer agrees otherwise. These laws are disregarded by ‘Payforit’ and PSA have indicated that they don’t consider compliance with these laws to be within their remit!

The fact that the ‘Payforit’ mechanism appears to be unable to provide refunds to consumers’ phone accounts makes the receipt of refunds difficult for consumers. I am aware of two methods currently being used for the majority of refunds:

  1. Post Office text based postal order. This has the advantage that the refunding company does not need any additional personal information from the consumer. It is the nearest thing they seem to be able to do to refunding to the consumer’s phone account. However, bearing in mind that the refunds are often for amounts less than £10, the method is disproportionately inconvenient for the consumer. I suspect that a large number of these refunds are never cashed! My wife received  refund by this method and she almost lost the will to live while waiting in the Post Office queue, for a £4.50 refund!
  2. A bank transfer. At the stage at which a refund is agreed, the only piece of personal information the company making the refund has is the phone number involved. Unless it has been willingly given, it doesn’t have any other personal data relating to the person claiming to own the phone number. In order to establish that the phone number which is the subject of the refund actually belongs to the consumer claiming it, it needs to ask for further personal information. Usually a phone bill or some similar document is requested. Some companies omit this step. This omission could be a breach of data protection legislation, as they have no way of being sure that the person they are refunding is the owner of the phone number from which the charges were original taken.

To obtain a refund, the consumer then has to provide bank details to a company which, as they see it, has already defrauded them. Some consumers are dissuaded from claiming a refund because of the amount of (unnecessary) personal data they are asked to supply. If it were possible to simply reverse the original charges, there would be no need for any additional personal information to be supplied.

To illustrate my concerns, I have reproduced below a few recent Social Media comments regarding the refunds issue:

the word stop is the only fix for this and costs 10p as for phoning waste of time and they could ask him for his bank details to give the credit back would you give them your bank details as I wouldn’t.
_______________________________________________________________________________
Lastly, I have just received a text from this scam company saying “We tried to call you back (I did get a missed call). the service has been STOPPED and a Goodwill refund to be issued. ” It goes on to say a refund will be received by SMS within 5 days and I should take it to the Post office who will give me a cash refund. Is this for real?
________________________________________________________________________________
They have now sent me a email agreeing to refund me via a text message that I would have to take into the Post Office to get a refund, they added it can take 10 – 7 days for this to happen, at the moment I have not replied this is clearly not satisfactory in my way thinking, they should return the money direct to my phone balance, I’m in a dilemma do I have to accept a refund this way or not, has anyone else got a refund direct to their phone balance.
________________________________________________________________________________
If someone else was also scammed: I just called the number 02071369911 and then pressed 3 and was connected to a lady that said she is in Belgrade, Serbia. She said she would cancel my subscription. I also gave her my email address, and then I received an email from info (at) jamster (dot) co (dot) uk saying that if I want a refund of my £4.50 I have to write back providing them with:
– Full name of the bank account holder
– Bank name
– IBAN (International Bank Account Number). UK IBANs start with GB and are 22 characters long.
– SWIFT-BIC (Branch Identifier Code) – The SWIFT-BIC code is either 8 or 11 characters long.
Do you think it is safe to give them this information?
______________________________________________________________________________
It is totally illogical that they are able to take money from my giffgaff account, but cannot put it back there, the same place they took it from, and then need my bank details. I decided to take a risk and gave them the information they asked for, since I heard that banks are required by law to refund customers, if unauthorized withdraws are made.
Jamster sent me an email, saying I should see the £4.50 refund on my bank account in 20 days. Let’s see.
_______________________________________________________________________________
They said
“Nevertheless, as the entry was cancelled so soon after being confirmed, as a gesture of goodwill we will refund you £4.50. Your refund will be sent to you in the form of a text message from the Post Office on Friday 15th June 2018 and it will clearly state the Post Office as the sender. Once you receive your text message you can take this to any Post Office branch at your convenience. There’s a unique barcode, which is valid for 30 days, within the message and all you have to do is to present the message over the counter and they will give you your funds there and then in cash.”
Are they serious?
______________________________________________________________________________
I would just like to give an update regarding the scam text I received. Following advice given on here I replied STOP to the short number and called the help number. Left a message stating that the subscription was unsolicited and requested a refund. I also lodged a complaint with the PSA. I received a text today giving a bar code number to be shown at any Post Office to claim back the £3 that was taken from my airtime. I did this and the Post Office gave me my £3 back. Thanks again for your help
______________________________________________________________________________
We did eventually get a refund, it took about six weeks to arrive, and came in the form of a text message which had to be taken to the post office! Unbelievable!

To obtain a refund, ‘Payforit’ requires the consumer to negotiate directly with the originator of the charge. What is worse is that, if the recipient of the payment fails to respond, there is no process to follow to resolve the issue. In the absence of a defined process, these uncooperative companies continue to trade for months, until the volume of complaints is such that PSA cannot ignore them.

It is not the role of PSA to adjudicate on individual disputes. However, it could insist on the introduction of a mechanism by which consumers can receive swift refunds when they are defrauded by rogue companies. Much of this could be automated, as it is with other payment mechanisms.

The problem is not that fraud happens. It will happen to some extent with any payment system regardless of the security and authentication measures put in place. Fraudsters are continually refining their methods and finding new ones. Most payment systems respond to attempted fraud by putting effort in to fraud prevention, but this has not happened with ‘Payforit’.

The problem is the lack of any defined process for the consumer to resolve their complaint (within a reasonable timescale) and obtain a refund if one is adjudged to be appropriate. Current arrangements would appear to be in breach of the Consumer Rights Act 2015 as it applies to digital services, in terms of methods and timescales for dealing with consumer complaints, and in terms of the refund process.

Large numbers of consumers have experienced unexpected charges as a result of these ‘Payforit’ subscription services. Although the amounts involved are usually small (£4.50 per week or less), the companies take advantage of the fact that many consumers do not check their bills, and many consumers lose significant amounts.  This ‘cramming’ fraud has been a persistent problem, not just in the UK but in many other countries. In the USA and Australia, there have been a number of high profile cases where MNO’s have been held accountable for fraudulent subscriptions.

https://www.itnews.com.au/news/telstra-hauled-before-court-over-premium-mobile-billing-487699

https://www.consumeraffairs.com/news/verizon-sprint-to-pay-158-million-for-illegal-cramming-of-customers-mobile-phones-051215.html

Many consumers have experienced great difficulty in getting fraudulent subscriptions stopped. The ‘Payforit’ system can be very confusing, particularly for consumers who do not receive an itemised bill. The text containing the subscription is often deleted as spam. The ‘payforit’ receipt text does not say which service it relates to. The number to which STOP is to be sent is often different to the number from which the subscription text was sent. The problem is often made worse for PAYG customers who do not receive an itemised bill.

There is no disputes mechanism. Many consumers have been successful in getting a resolution using the UK Small Claims procedure, but this is not available for companies based outside the UK. Currently the EU Small Claims procedure is an option for companies based in EU countries, but this may not be available after March next year. It is not acceptable that defrauded consumers are unable to seek redress because of the high costs of taking proceedings in a foreign court.

There needs to be an independent ombudsman to consider all cases where consumers claim to have been fraudulently charged. Given the ease with which these frauds can be perpetrated, and the inability of the regulator to recognise them, a refund should be given unless there is clear evidence that the consumer knowingly and intentionally entered into a contract.

Direct carrier billing currently enjoys a limited exemption from the requirements of the Payment Services Directive v2 (PSD2).

In fairness, direct carrier billing services should be subject to the same regulations as the payment services they are competing with. The directive provides additional safeguards to consumers. It reduces their potential losses from fraud, and requires the Service Providers to provide robust, two factor, authentication. The directive also forces Payment Service Providers to provide a proper dispute mechanism. Consumers using ‘Payforit’ are denied the additional protection these safeguards would have afforded them.

In February this year, EE , to their credit, introduced a system requiring a two factor authorisation with PIN for all subscription services. (PSA currently only require this for services charging more than £4.50 per week). There has been a dramatic reduction in complaints of fraudulent subscriptions from EE customers. This suggests that EE’s approach has worked. As a minimum, PSA should introduce a Special Condition requiring this for all networks.

It is notable, that although PSA currently recommend the use of two factor authorisation with PIN for services costing £4.50 or less per week, this is ignored by most, if not all, providers. I do not believe this to be accidental, as two factor authorisation with PIN will defeat most of the exploits currently used to implement fraudulent subscriptions.

 

Q3: Do you agree that different subscription services may require different regulatory responses? Do you have any thoughts on what this variation could look like?

Unfortunately, Phone-paid Services subscriptions have had a high level of fraud complaints for many years. The move from PSMS to ‘Payforit’ resulted in a temporary drop in these complaints, but these have since increased again. It is probably true to say that as soon as one door is closed, the fraudsters will find another. This means that it is likely that, given time, the fraudsters will find a way of circumventing any protection put in place.

There are two possible solutions:

  • More speedy and robust application and adaptation of the code of practice to protect consumers as soon as a problem is identified. Currently, one service has been causing  a high volume of complaints since the beginning of May. At the beginning of October, it is still operating and generating the same high level of complaints while PSA conduct a lengthy ‘investigation’! A speedy and robust response to problems like this would help protect consumers by removing the fraudulent service before significant damage is done.

or

  • A speedy, impartial and simple method of resolving disputes and providing  refunds to consumers for charges where consent cannot be indisputably proven. This could be funded by a charge to the service for each case referred, so encouraging these companies to behave responsibly. It would not be fair for these costs to be shared evenly between services since, as you have stated, some services generate much larger levels of complaints (and currently lack any concern about this!)

In view of the current inability of the PSA to protect consumers from scam subscriptions, and their failure to robustly apply the code of practice, my preference would be for all services to be required to be members of an independent ADR scheme. Funding for this scheme could be obtained by a charge to the service provider for each case referred to the scheme.

An alternative approach might be to raise the bar for entry in to this ‘industry’.

Where a subscription service carefully monitors usage of the service, and offers speedy refunds  when the service has not been used (or has been used only once at the time of subscription), then the current levels of regulation might be appropriate. If service providers have a reputation to protect, they are unlikely to indulge in the practices that are currently bringing phone-paid services into disrepute.

In Australia, where most third party subscriptions can no longer use direct carrier billing, some services, such as Google Play and Netflix, have been allowed to continue. By only allowing authorised, reputable companies to access the payment mechanism, the risk of consumer harm is much reduced.

 

Q4: Is there any other information or evidence that you would like to provide to PSA to assist it to undertake more detailed analysis of the existing framework, including around where you see subscriptions heading?

It is clear from the numbers of recent cases that the current ‘Payforit’ system is highly vulnerable to fraud. Furthermore, PSA are, on their own admission,  unable to tell the difference between a legitimate signup and one caused by malicious code.

OFCOM, in 2012, wrote:

Internet diallers

6.77 During 2004 PP+ received 57,743 complaints about services using internet dialler software. These included consumers being misled into clicking on an icon or banner, or accessing a website, which, without their knowledge, would trigger the download of software to their PC. That software then used their internet dial-up account to call premium rate numbers operated by the dialler software’s owner.

6.78 This scam demonstrates how a fragmented supply chain, with separation between the service provider and the billing party, can be exploited in an (unlawfully) opportunistic way. The greater transparency of PFI services would not prevent this harm. Rogue software can be embedded in such a way as to circumvent any verifiable method of consumer consent to charges (like a PFI checkout).

It follows that any supposed ‘consent’ from a consumer has to be viewed with suspicion, especially when that consumer is adamant that they did not consent. PSA seem too willing to accept such ‘proof’ of consent unquestioningly, and place the burden of proof on the defrauded consumer rather than the service provider. The system needs to be reformed so that automatic refunds are provided unless the service provider can prove consent indisputably. (currently not possible for the reasons above).

Some ‘services’ for example those operated by SB7 Mobile Ltd and Lasevia Ltd appear to have been created solely to exploit this vulnerability. Trustpilot reviews of these service are enlightening.

https://uk.trustpilot.com/review/sb7mobile.com

https://uk.trustpilot.com/review/lasevia.com

There is no evidence that these services have any genuine subscribers, and a great deal of evidence that they are causing consumer harm (despite the efforts of SB7 Mobile Ltd to suppress valid criticism on Trustpilot). Services like these damage the reputation of the entire industry.

The vulnerability of ‘Payforit’ makes it a target for fraudsters. A look at some of the services will show that many of them are ridiculously poor value for money.

Take Lasevia’s Books4You service. You can read 50 ‘Classic books’ (for Classic read out of copyright) for £4.50 per week (equivalent to nearly £20 per calendar month) They don’t even tell you what the books are before you sign up! Compare this with Amazon’s Kindle Unlimited offering at £7.99 per month,

‘Services’ like this are not set up to provide a ‘service’ to consumers. They are set up to exploit the vulnerabilities of the Payforit system. I’m sure there are a few legitimate services which consumers find useful, but I can’t find them, nor any consumers extolling their virtues.

Companies that genuinely wish to provide a service to consumers should be putting pressure on the PSA to put an end to the fraud and clean up the industry.

The Phone-paid Services industry needs to modernise and provide the levels of consumer support and fraud prevention that are expected of modern payment mechanisms. Consumers should be able to report problems with these subscriptions to their networks and have them dealt with in one phone call, not be passed from pillar to post in an effort to get a resolution. The fact that the networks process these, often fraudulent, transactions and then claim to be unable to refund or even stop them does not sit well with consumers.

Consumers should be able to opt out of the ‘Payforit’ system and not have their numbers passed automatically to third parties when they click a link on a website. The only way this can be achieved currently is by the consumer using a VPN or by restricting internet access to WiFi connections. There is no need for consumers numbers to passed to third parties in this way. It is quite possible to sign up to a phone-paid subscription on a wifi connection, but because the process is more transparent fewof the complaints I receive relate to signups over WiFi. Some may wish to avail themselves of the ability to sign up for subscription services without ‘friction’. Those people should have to opt in.

Consumer should also be able to opt out of third party charges to their account. Currently this is not offered by all UK networks, but is a legal requirement in many other juristictions such as Germany. MNO’s should not be allowed to offer access to these subscription services without also offering an ability to bar access to them. Charge caps on mobile phone contracts should also be required to apply to these charges.

I would go a stage further and suggest that consumers should have to opt in to the ability to subscribe to these third party services (in the same way as currently happens for adult services). There would be two major advantages to this:

  1. By having to opt in, consumers would be made more aware of the fact that clicking links on websites could result in unwanted subscriptions.
  2. Children and other vulnerable groups could be protected from harm. Many complaints relate to children or vulnerable adults becoming subscribed to Phone-paid services. Parents want to be able to give their children a phone without the worry of them running up unexpected bills. Many consumers believe that by blocking premium calls/texts, or by putting a spending limit on an account they can protect themselves but, as PSA are well aware, that  is not the case.

In Australia, where there have been ongoing problems with ‘charge to bill’ or ‘cramming’ fraud, the networks were eventually forced by public opinion (and potentially expensive law suits) to limit the use of ‘charge to bill’ to large companies with good customer service.

https://yescrowd.optus.com.au/t5/Blog/Third-Party-content-closure-for-Optus-Postpaid-and-Prepaid/ba-p/447448

https://www.telstra.com.au/mobile-phones/moreonyourmobile/premium-direct-billing-exit

The same could happen here if the industry does not put its house in order! There are many other, more secure, payment methods which could be used to pay for such services. There is no evidence that the benefits of the simplicity of ‘Payforit’ justify the high levels of consumer harm caused by the exploitation of its vulnerabilities.

If consumers are not to be properly protected, I would prefer to see legitimate services moving to these other payment mechanisms, and Phone-paid subscriptions abandoned as they have been in Australia.

 

 

 

Recent Nuyoo Complaints

 

SB7 Threatened Legal Action

I learnt today that SB7 Mobile have reported several of my tweets to Twitter as being illegal.

Hello:

We are writing to inform you that Twitter has received official correspondence regarding your Twitter account, @Payforit_Sucks.

The correspondence claims that the following Tweets are illegal:

https://twitter.com/Payforit_Sucks/status/1001810694164099077

https://twitter.com/Payforit_Sucks/status/1001886151228182528

https://twitter.com/Payforit_Sucks/status/1001887291378368514

https://twitter.com/Payforit_Sucks/status/1004075931277889536

https://twitter.com/Payforit_Sucks/status/1007288491015901185

https://twitter.com/Payforit_Sucks/status/1008430324613877760

https://twitter.com/Payforit_Sucks/status/1009167746813382657

Twitter has not taken any action on the reported content at this time. We are only writing to inform you of content posted to your account which has been mentioned in a complaint.

We may be obligated to take action regarding the content identified in the complaint in the future. Please let us know by replying to this email as soon as possible if you decide to voluntarily remove the content identified on your account.

If you believe we have contacted you in error, please let us know by replying to this email.

This notice is not legal advice. You may wish to consult legal counsel about this matter.

For more general information on legal requests, please refer to the following Help Center article: https://t.co/lrfaq.

Sincerely,

Twitter

I have now responded to Twitter, as follows:

Hi

Thank you for informing me about this complaint. I have reviewed the tweets in question and cannot see that they break any UK or EU laws. They do serve to highlight widespread legitimate complaints about the company (SB7 Mobile) which I assume made the complaint. This company has been seeking to stifle valid and justified criticism both on Twitter and on Trustpilot. It is the nature of a platform like Twitter that such criticism will be made, and the normal response is for the company to answer the criticism, not to try to get the criticism removed by claiming it is illegal. I would be interested to know the reasons supplied by the complainant for these tweets being illegal.

I therefore do not propose to voluntarily remove these tweets, or to desist from posting further tweets of a similar nature.

However, I have no wish to cause problems for Twitter or to be in any way unreasonable. I understand that you have to protect Twitter’s interests, and if, after review, you hold these tweets to be illegal I will voluntarily remove these and a number of similar tweets which have not yet been reported.

Best regards

Paul

Update 6th October 2018

Tonight I received a solicitors letter from SB7 Mobile Ltd. I think they took exception to me identifying that the home addresses of the directors could be found on a document at Companies House.

Let me clear, I would not condone harassing the directors, but consumers may wish to send them copies of correspondence  sent to the company, in particular, letters before action in the Small Claims court.

There is much legitimate criticism, and I would much prefer SB7 Mobile Ltd to answer these criticisms rather that try to stifle them.

My problem is not just with the industry-mandated payment mechanic. It is to do with the way that certain companies are exploiting the vulnerabilities of this mechanic to take money from vulnerable consumers.

SB7 Limited and Trustpilot

SB7 Limited (the company behind the Nuyoo ‘Payforit’ scam) are currently trying to get negative reviews removed by Trustpilot, for breaching Truspilot’s guidelines.
To be fair to Trustpilot, some of these reviews, posted by angry consumers in the heat of the moment did use bad language and terminology which might be hard to justify legally. I can understand consumers calling SB7 mobile thieves, but it is probably better to say that they took money without consent!

One reviewer whose review is reproduced below has repeatedly amended his review, to comply with Trustpilot’s guidelines, only to have it objected to again. This is now getting ridiculous.

The post, produced below, is a potentially valuable resource for consumers, which Trustpilot are now denying access to.

Whilst the accusation that a phone number was obtained ‘illicitly’ might be regarded as a serious accusation, it is substantiated by the fact that the company paid the full amount taken plus court fees in order to avoid having to defend their position in court. I can see little else in the review that justifies its removal. I certainly don’t see any ‘offensive remarks’. I invite Trustpilot to identify what the problem is, but am beginning to wonder how much they have been paid by SB7 Mobile to silence justified criticism.

An Update I hope this post helps someone regarding SB7.
I have suffered the shock of this company debiting my account to the tune of £300. I did manage to fix it though, here’s how.
Bit of history.
I first noticed this company had been debiting my bank account in March 2018, on closer inspection of my O2 invoices it became clear that this company had been debiting my account since 2016.
I had given my wife my old iPhone 4 after an upgrade to the then newer iPhone 7 sometime around 2015-16. My wife only wanted the phone for emergencies as she is a technophobe. I purchased her a simple sim with free text small amount data etc. she was very happy with it. Being a technophobe, I always advised my wife to simply delete any messages or text she didn’t recognize for security. I never felt the need to check my account with O2 as she rarely used it to phone many friends, it was only my phone I kept an eye on online. Until by chance I viewed my account for her number in March 2018. Ouch.
On viewing invoice history, it became apparent SB7 mobile Ltd had been debiting for texts sent to her number since 2016 @£4.50 per text? Sometimes 5 texts a month. Grrr. I was very angry.
The Fix (Tip: stay calm stay civil)
I composed a letter to this company demanding a refund for the monies debited from my account. I complained that they had obtained her mobile number illicitly and underhandedly.
I advised that if I had no reply within 7 days to my complaint I would pursue a claim through county courts. I had no reply from this company to the request sent.
I made a claim to the county court regarding this matter around 16th March 2018. On the 23rd March 2018, I received via post confirmation of my claim through the post from the County court.
The same day I also received the first answer from SB7 regarding my complaint with an offer of £180 as compensation without excepting responsibility. I refused stating that I had already started a court summons and that it was my intention to pursue full settlement of my account debits plus the expense of the court £325.27.
SB7 subsequently revised their offer to compensate for the full amount £325.27 to be paid via the post office message system. I agreed to this on the proviso that I would only close my claim with the courts on receipt of cash owed.
So, I now await the post office text message from SB7 mobile Ltd for a full refund.
Advice for you if you want to recover monies owed by unscrupulous companies.
Be polite but firm, state your complaint by e-mail, request a resolution, give 7 days’ notice. If you get no answer take out a court summons, you can do this online (£25).
Do a search google (for company info Directors etc) Glean a home address for a director or Directors and include this address within your county court claim.
Hope this info helps someone, if I can do it so can you!

in an ideal world I would we would all be checking our accounts regularly.
Unfortunately, most of us live in the real world where we are just trying to earn a living and get on with our daily lives. I, for example, have a joint account with my wife? There is no way I’m going to start challenging her for any expenses she makes? Lol
This isn’t about debiting large amounts of cash from individuals although this can happen as I have proved!
This is about understanding modern lifestyle and Volume? By these companies.
How they glean our phone numbers is irrelevant, but they have them? They have probably purchased them via a data exchange. Who knows.
I am betting nobody here with a complaint will bother to peruse a claim if it is of small amount let’s say £10 or even £20? Most people will text STOP to the relevant number and that will be that. A few of us will contact the company directly to complain and may receive compensation. But not many? These companies know that.
It’s the sheer volume of customers who have had this type of attack that matters? You can prove this searching google for company information and viewing the turnover? Unbelievable!
What’s needed is proper regulation by government and accountability by this type of company.
Update 22nd June 2018
I have today received an email from customer support at Trustpilot after a complaint from SB7 mobile regarding specific wording within my post. I have edited my post to comply with Trustpilot’s terms and conditions as requested.
Thank you Trustpilot your service is excellent I can’t praise you enough.
I can also advise that SB7 Mobile (or associated companies) Paid the debt in full after my complaint. Thank You.
Update
7th July 2018
Received another email from the Trustpilot compliance team advising my post contained offensive remarks?. Begining to see a trend here where these companies take offense at our postings and complain? they then raise a compliance issue in the hope Trustpilot remove the post?

I shall try to retrieve other reviews when they are posted and will repost them on here when they are removed from Trustpilot, so that readers can decide for themselves whether the removal was justified.

If your review is one of those that has been removed, please amend and resubmit it. Don’t use bad language and avoid calling the company thieves or crooks. Just state the facts and let them speak for themselves.

Bodyin8 scam June 2018

In June 2018 there were a large number of reports about Bodyin8. The flow of complaints has abated somewhat, but the company is still the subject of complaints in February 2019.

They operate through a Level 1 provider called Tap2Bill who are responsible for the 83463 shortcode which is associated with quite a few of these scams.

At the time of writing they are not showing on the PSA Number checker. However the customer service number given in the sign up text is 03300538661. This number appears to belong to Mobile Payment Support, a company to which Bodyin8 have contracted out their customer service. MPS appear to be near impossible to deal with, so the advice is to deal directly with the company, using the Small Claims procedure.

The company behind Bodyin8 is Well Fitness Ltd (Company number 09994445). The registered address is : Onega House, 112 Main Road, Sidcup, Kent, United Kingdom, DA14 6NE.

I am not currently aware of any email address which can be used for Bodyin8, so it may be necessary to send correspondence by post to their registered address.

Advice if you’ve been affected by the Bodyin8 scam.

Unfortunately, the way that this works is that you have to contact Bodyin8 and get them to stop the subscription. You should also ask for a full refund of any money they have taken. You are entitled, under Section 45(3) of the Consumer Rights Act 2015 to insist that this refund is made back to the account from which it was taken. Under section 45(4) of the same act, any refund needs to be made within 14 days of it being offered and accepted.

If Bodyin8 do not co-operate or do not refund in full, you can then revert to your own network, and ask them to take action under the Mobile Operators Code Of Practice for the management and operation of PFI (Payforit).  O2, EE, Three and Vodafone also have their own procedures for handling ‘Payforit’  and these are linked on this page which gives more detailed advice on how to proceed if you are refused a full refund.

Ultimately if a full refund is refused Bodyin8 have paid out when faced with the possibility of a claim in the small claims court.  Legal action, through the small claims court, is likely to be the fastest and most successful approach to resolving a dispute with Bodyin8. They don’t dispute that they have taken your money. Ultimately they have to prove that you knowingly consented to the payments or make a full refund.

You should also complain to the Phone-paid Services Authority  (PSA) about the unauthorised charges. The regulator will not handle individual cases, but will take action if specific companies generate a disproportionate number of complaints. PSA have informed us that they are already investigating this company.

Sample reports of the Bodyin8 ‘Payforit’ scam

I hate these scams – what can I do to help?

What can I do to help?

So you’ve done all you can to sort out your own case, but feel a sense of burning injustice about the ease with which scam companies can help themselves to consumers money. What else can you do?

Reviews of Companies

These companies are supposedly ‘trusted partners’ of the mobile networks. A read of their reviews on Trustpilot and on Facebook will tell you that these companies are anything other than trustworthy. Adding to these negative reviews can help reinforce this impression. No need to write an essay (unless you want to), just a one star review and a comment that says they tried to took your money without consent.

Reviews of the Regulator

If the regulator has failed to properly investigate your case,  has come to a perverse decision or has just been generally obstrutive or unhelpful, you can add to their reviews on Facebook. The regulator seems to believe it is doing a good job. It plainly isn’t.

Formal Complaints about the Regulator

The regulator enjoys a rather too cosy relationship with many of the companies it is supposed to be regulating. You can’t complain just because you don’t like the outcome of their investigation. You can complain if you don’t believe they have investigated properly, or if after their investigation they come to a conclusion which couldn’t be justified on the basis of the evidence. If they have found that ‘on the balance of probabilities’ the service provider has done nothing wrong, then they are saying ‘on the balance of probablities’ you are a liar. Make them justify this view!

Details of the complaints mechanism are here. https://psauthority.org.uk/about-us/complaints-about-us

Complain to your MP

MP’s have so far not shown much interest in this issue, but if there are sufficient complaints they may do so.

Respond to Public Consultations

The regulator regularly consults on it’s priorities and to changes to its Code of Practice. It rarely gets any responses other than those from the ‘industry’. In December 2017 PSA launched a consultation on its priorities for the next financial year and I submitted a response. I believe that it is partly as a result of this response that the are now going to review the rules for subscription services.

It is likely that these changes will go out for public consultation. It would be good for them to receive a large number of public responses demanding radical reform, including making ‘Payforit’ opt-in rather that opt-out. I’ll put an outline response on the website when the consultation is announced.

Help with this website

Running payforitsucks.co.uk is time consuming. Picking up consumer complaints on the forums of the networks and on Twitter and providing responses pointing to relevant help is time consuming, and I have to take holidays sometimes. We could always use additional content on the site. I’m happy to provide access to the site to consumers who wish to contribute their own unique perspective on ‘Payforit’. Please help build public awareness of ‘Payforit’ scams, as this is the best tool we have to get reform.

Legal Action

Tom (mailto:tom@payforitsucks.co.uk ) is keen to see legal action taken to force a judicial review of the law governing ‘Payforit’. Aspects of ‘Payforit’ are clearly dubious, but challenging the legality in court is an expensive and complex process. Decisions made in the Small Claims court do not set a legal precedent, so it is necessary to go to a higher court, where, no doubt, the other side will field a team of skillful barristers to ensure that the current gravy train continues.

Legal Action

The reason payforit scams are so prevalent at the moment is that the regulations in place are much to weak.

 

Dishonest fraudsters will always be out there, but generally people only ever commit fraud or theft if they think they can get away with it. The answer to stop pay for it scams is so simple. Make it as difficult as possible for fraud to occur but still allow merchants (Level 2 providers) who do provide a valued service to continue to grow and expand their businesses.

 

The easiest way to achieve this objective is to make the Mobile Network Operators (MNOs) responsible for any fraudulent activity on a customers account, as long as the customer has not been negligent in any way. If this was implemented, as the industry grows and develops, the MNO’s would have ultimate responsibility to adapt their required security features to protect their customers, much like every other other payment mechanism for goods or services that exists today.

 

OFCOM acknowledges on their website that Rogue software can be embedded in such a way as to circumvent anyverifiable method of consumer consent to charges. MNOs claim that with payforit they are simply providing a service, in much the same way that they provide with phone calls or a text messages. MNOs would argue that it is the responsibility of the phone user and Level 2 providers to ensure that there are agreements in place for digital content purchased on a mobile phone, and that the agreements are consensual and legitimate. On the face of it this is not an unreasonable position to hold because MNO’s should not be held responsible for the text messages, phone calls and subsequent charges that their customers incur. After all, even if a phone is stolen, until the MNOs are notified of the stolen phone the MNO’s are legitimately providing a service in good faith. why should not liable for the calls or text any thief makes?

 

There is an important difference though, call and text billing security is generally reliable, it is very rarely the MNO’s responsibility if fraudulent calls or text messages occur on a customers bill. (There have been cases where MNOs have been notified of a theft of a phone and failed to act accordingly, but generally security is very good and it is rare the MNO is at fault.) However, imagine a hypothetical scenario whereby MNO’s security measures in place were so poor that they routinely allowed fraudulent cloning of their customers SIM card details through no fault of their customers. In this hypothetical situation, it would be the inherent weakness of the MNO security systems that facilitated this hypothetical fraud. Because it would have been the MNOs weak security they would have to compensate customers costs and it would be entirely unreasonable to expect the phone user to foot the bill.

 

Going back to the issue with payforit, when rogue software can be embedded in a mobile phone utilising “clickjacking” “iframing” “sticky pop ups”  and other nasty tricks, because the MNOs do not have any security features whatsoever before offering third parties access to their customers money, they are negligent. It has become unreasonable for the the MNO’s to offer such an inherently unpredictable service without providing any protection for their customers, the reason so many have been caught with payforit scams is not down to the customers negligence, it is the MNOs themselves who have been entirely negligent by not having security requirements.

 

Given it is the weakness of the system that fraudsters are exploiting, and that phone users are generally not being negligent this puts MNOs back squarely into the frame for ultimate responsibility, and they need to be held to account. My objective is a big court case to put this argument forward that forces the greedy MNO’s to refund ALL disputed purchases made on a mobile with no security requirement to be refunded without question.

 

OFCOM have given responsibility for regulating this shady industry to the Phone Paid Services Authority (PSA.) The PSA are funded by the MNOs, and have no powers to investigate individual cases and the system keeps penalising consumers and needs to change. I am not a lawyer, but I think individuals taking their own cases to the courts are unlikely to succeed for a number of reasons. Firstly any victories at the County Courts are not binding so each case will be looked at on a case by case basis and would be difficult to orchestrate a collective strategy. Secondly in my case the Level 2 Provider who scammed me had offered a refund and effectively accepted liability.

My personal opinion is that a Judicial Review against OFCOM or the PSA is the best way to move forward. A Judicial Review on the Grounds that the PSA Code of Practice or Communications Act 2003 are unlawful, because they wrongly absolve MNO’s of their collective responsibility, and provide no stipulation that MNOs are required to be able to refund back using the same method as was used to take payment.  This is a clear breach of s.45(4) of the Consumer Rights Act 2015

This will not be easy or cheap, and will require legal advice, Court Fees etc but I welcome any suggestions on crowdfunding, or pro-bono legal advice etc that can be offered to get this Court action started.