EE forum post by moog concerning EE mobile portal scams

by moog Established Contributor

Established Contributor
Re: Why is we allowing bounce mobi on their network? It is fraudulent company

This is not the fault of the customer so stop blaming us…. just stop it!

 

The reason why this forum is full of complaints about the following PMConnect services is that their payment pages are not secure and are being hacked:

 

These are the services offered exclusively against EE customers and presumably the ads that push to these pages are paid for and targetted accordingly… only EE customer are victims.

 

Here is the bounce games payment page:

Unsecure non-HTTPS page Unsecure non-HTTPS page

This page is non secured by HTTPS and so is wide open for hackers.

 

Notice the text “Charges added to this EE mobile bill”.  This text is hard coded regardless of what type of connction or device is used… so the page has been designed to be used against EE customers to make payments against  EE accounts… this alone is very worrying.. why only EE.. Why are they not using PayforIt?

 

EE have for over two years denied  having an agreement with this company despite the fact that these service are designated in the PMConnect LTd terms and conditions as Mobile Portal Services” that according to Ofcom can only exist as a  relationship bewteen 3rd party and Network. All the other direct to bill service must use the heavily regulated( via PSA) PayforIt scheme.

 

Now there are two possiblities here:

 

  1. EE are complicit and are using every trick in the book to deflect this issue.
  2. EE are not complicit and are simply not addressing a very serious issue by sheer negligence and bullheadiness on the part of it’s staff.. not our problem.

Regardless of the reason It is clear that EE accounts are being targetted by Malpractice of come sort against this companies insecure payment pages. EE can only be negligent if they do not at least invesigate and protect their customers.

 

 

 

Complaining to PSA

Step 3 – Make a complaint to the Phone-paid Services Authority

If you have been signed up without consent to one of these premium rate services it really is important that you report it.

It it contrary to the PSA Code of Conduct to sign people up for these services without their consent, and these companies need to be shut down quickly. Your complaint may help others.

Before complaining you need to know the following.

  1. The premium rate service the number relates to. This can be retrieved either from your text message confirmation or your phone bill.
  2. The name of the company providing the premium rate service.
  3. Your personal details, such as your name, address and contact details.
  4. The name of your phone or mobile network.

You do not need to attach a copy of your phone bill to make a complaint to PSA.

To make a complaint:

Go to the number checker on the PSA website: https://psauthority.org.uk/about-us/number-checker.

Put in the shortcode you are complaining about and click ‘Check it!’. You may need to complete a Captcha challenge in order to proceed to the next stage.

The next screen shows details of the company(s) responsible for the shortcode. Towards the bottom of the page there is ‘If you are unsatisfied with the outcome from the service provider, please get in touch with us here.’. Click on ‘here’ and you will be taken to the complaint form.

The more information you can include in your complaint, the easier it will be for PSA to take action.

If you find the online process too cumbersome you can complain by ‘phone on 0300 30 300 20 (Monday – Friday, 9.30am – 5pm, excluding bank holidays). This is charged as a normal landline call.

You can also contact them via Facebook messenger.

If you still have problems making a complaint, contact me through this site for help.

After complaining to PSA you need to consider how to protect yourself from these scams in the future.

Step 4 – Protect yourself

Refunds

Step 2 – Getting a refund for charges already made.

Once you have successfully stopped the texts, it is time to set about getting a refund. Don’t expect your network to be helpful, but you can ask. If you get help please report it by leaving a comment below. There are reports of some networks arranging three way calls with these companies to assist customers. If they do this for you they are doing much more than they are required to do at this stage and deserve a pat on the back.

Getting your money refunded can be very simple or almost impossible. If the amount of money is small, you will probably get a refund from the ‘service provider’ without any problem. If the amount is larger, they will probably offer a partial refund. Don’t accept a partial refund!

Start as you mean to go on. You need to collect evidence, so record all calls, keep all texts and ask for confirmation in writing where appropriate.

The chances are that your network will not be in the slightest bit interested. The logical argument that they allowed the charge to be made and therefore should accept some responsibility won’t work.

So it is left to you to seek a refund.

Call the ‘service provider’ on the helpline number provided in the text. Make sure you record the call. Better still, if you have an email address, deal with the matter by email. The advantage of this is that you will have a clear record of what was said and what was promised. Be absolutely clear that you never consented to their charges and ask for proof of that consent. Ask for the following:

  • Screenshots of the subscription workflow where you were alleged to have signed up for this service.
  • A description of what the service you are supposed to have subscribed to provides. Is this a newsletter, access to a web portal, a competition? How would it have been accessed if you had used it?
  • Any evidence that after supposedly signing up for the service, you actually used it
  • The complete web server log of the subscription, including the User Agent strings containing all device details (browser, device type, device IP address) together with dates and times.
  • Full company details of the company operating the service, country of registration, full name of company, company number and registered company address.

Remember that under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, the burden of proof rests with the service provider and not with you. You don’t have to prove you didn’t subscribe, they have to prove that you did! Tell them that you want a full refund of all the charges made to your account. Different companies will respond in different ways to this request. Many of the slightly more reputable companies will admit that they hold no evidence, or at least that they had ‘technical difficulties’ and will proceed to make a refund by one of the mechanisms listed below. The reality is that, because it often takes weeks for consumers to notice these charges on their bills, by paying refunds they avoid complaints. This results in fewer complaints about their ‘service’ and consequently they are able to operate for longer before being closed down.

Other will insist that you consented to their charges and will steadfastly refuse to make any refund. Some will tell you to apply for a refund by email – to an address which never receives a reply. When emailing, request a delivery receipt and a read receipt. If you get these back, keep them as evidence.

If a full or partial refund is agreed it will not be credited back to your ‘phone account. This is an example of just how broken the Payforit system is. Money is taken from your ‘phone account. If a refund is agreed you would expect it to be credited back to the same account. But this is ‘not technically possible!’.

The refund is likely to use one of two mechanisms:

  1. A Paypal payment to your email address
  2. A text message sent to your ‘phone which has to be presented to a Post Office for payment.

You are entitled to insist on a refund to your phone account. This right is enshrined in the Consumer Rights Act Section 45(3). If you want to be difficult you can insist on this. Additionally, section 45(4) of the Consumer Rights Act allows 14 days for the refund to be made once it has been agreed. Keep evidence of the agreement to refund and the date it was agreed and the method which was agreed. I wouldn’t advise giving any additional personal information to these companies, so the refund options are somewhat limited.

If all attempts to get a refund from the scamming company fail, you can then go back to your network. Present them with the evidence that you have attempted to negotiate with the service provider, but that say that you remain dissatisfied. Remind them of Mobile Operators’ Code of Practice for the management and operation of Payforit. Ask them to provide the support that this Code requires. If the scammer has failed to engage with you, failed to provide evidence of your consent to the charge, or if the contact information supplied doesn’t work, you may have  case against your network. You will have done everything they asked you to do and it hasn’t worked! In these circumstances OfCom expect them to provide help and to make their own investigation. There is some evidence that the networks will make an ‘ex gratia’ payment to avoid bad publicity and avoid accusations of negligence.

If the network refuses to help you you will need to consider other courses of action. It is important to follow the process correctly in order to maximise your chances of success should the matter go to the Ombudsman, ADR or to the Small Claims Court.

Regardless of whether you are successful in getting a refund, there is still more for you to do!

Step 3 – Making a complaint to the Phone-paid Services Authority.

I’m receiving unexpected ‘Payforit’ charges – what should I do?

Step 1 – STOP further payforit charges from the same source.

example of the text we want to stop

If you are receiving text messages like those above, you need to stop them to avoid further charges.  Don’t ignore them. Don’t waste time at this stage arguing with your network. Your network will almost certainly tell you to go and negotiate with the third party company who have taken your money. They won’t take responsibility and are unlikely to help you. You need to take action to prevent further unauthorised charges to your account. The best way to do this is by phoning the number given in the received text. If you phone, you can ask for a full refund of the charges at the same time. Tell them you never knowingly subscribed to their service and that you require a full refund.

If you phone, record the conversation so that there can be no subsequent dispute about what was said.

If you prefer, or if you are within a ‘free trial’ period, you can send a STOP  text to the shortcode given in the text. In the example above it is necessary to text STOP or STOP ALL to 83463 to prevent further charges to your account. ‘STOP ALL’  should stop all services on the given shortcode. This can be useful if you have, or think you might have, been signed up to more than one service. There are two problems with stopping the charges by sending a STOP text:

1.  The text is chargeable (usually only 10p)

2. The companies sometimes take your sending of a STOP text as an indication that you accept the charges already made. This makes getting a refund more difficult.

You need to be sure to send the STOP message to the shortcode number in the subscription text. This text should be charged at your standard network rate. You should receive a confirmation text to confirm that you have been unsubscribed. Keep these texts until the whole matter is satisfactorily resolved.

Sending a STOP text and getting confirmation

Ask for confirmation of anything agreed in writing to avoid subsequent disputes. If they refuse to do this, send them an email outlining what you believe was agreed and asking them to contact you if anything in that email is disputed. Obtain delivery and read receipts for emails and retain these until the matter is resolved.

Basically, these companies are operating fraudulently and you should not trust anything they say. Judge them by their deeds and not by their words!

The charge receipt comes from Payforit and looks like this:

It is no use replying to this message, or indeed sending any message to Payforit.

Sometimes, all that is received is the Payforit receipt. In this case you need to identify the five digit number which is originating the charges.

If the Payforit receipt text is received without the accompanying sign up texts, you won’t know who to contact to stop the fraudulent subscription. In this case you have a deduction, but you don’t know what it is for. What to do if you can’t identify the originator of the charges

Try to approach the process in an organised and businesslike manner. Record calls and keep texts. Ask for written confirmation of anything agreed verbally. Most people get a full refund, but you do need to follow the process. You can rant all you like at your network, but the system makes it difficult for them to stop the charges. I agree that they could and should do much more, but if you delay in taking action yourself you will weaken your legal position.

If you’re not clear what Payforit is, look here.

Stopped the texts? Time for Step 2 – try to get a refund.

 

Barring Third Party Charges

Step 4 – Protecting yourself from further scams

Update 10/04/2018

O2 now claim to be able to apply a ‘charge to bill’ bar which is effective against Payforit.


Update 29/03/18  Three inform me that they are unable to implement a ‘charge to bill’ bar for their customers.

There is a lot of confusion about what is possible to avoid third party charges to your ‘phone account.

Barring premium rate texts is sometimes proposed as a way of stopping these scams. It won’t work. It will prevent you sending premium rate texts, and may prevent you from seeing incoming premium rate texts. It will not stop you from being charged for incoming premium rate texts.

To stop these charges, you need a bar on third party charges to your account. At the time or writing it would appear that Vodafone,O2 and EE can put this bar on your account,  while Three can’t (or won’t?). If you have discovered otherwise, please comment on this post and let us know what your network can or can’t do.

You can test whether you have a charge to account bar in place by using a bus information service as follows – it shouldn’t cost more than about 25p:

Send a text to 87287.  In the body of the text just put 54321

It’ll cost your standard network text charge to send the text.
And another 12p to receive the reply.

Check your balance before you send the text

The test is, do you also get charged another 12p, and will a reply arrive.

Do let us know how you get on if you try this test. If your network has successfully applied a bar, please leave a comment so that this post can be updated.

The problem with Payforit – Why we need an ombudsman

Payforit is not a company, but is the name given to a system of making charges to ‘phone bills. The system is run by the four major networks (O2, Three, Vodafone and EE).

Many consumers are unaware that when they are browsing the internet over a 4G connection,  clicking on a link can result in their phone number being passed to a company to be used for charging purposes. This is fundamentally different to what happens when using a WiFi connection, where the consumer would have to knowingly enter their phone number.

The Payforit system assumes that all the companies making charges through it are reputable and will deal with complaints. In reality many of these companies (especially the scammers) are almost impossible to talk to. The helplines are often automated with no option to get a complaint dealt with by a human being.

When a consumer receives  charge on their bill, their first response is to call their network. The network denies all responsibility saying it is a third party charge. They are told to ask for a refund from the third party which has charged them.

The consumer takes this advice and tries to contact the company on the published helpline number. If they are lucky the helpline will respond with a quick refund. The scammers do this because it enables them to reduce the number of complaints, thereby lengthening the time they are able to operate. If you are unlucky the company will refuse to refund you, or worse still will be impossible to talk to.

At this point the consumer may go back to their network The network will still not accept responsibility and will refer them to PSA.

The problem with PSA is that it is not an ombudsman or a dispute resolution service. It doesn’t deal with individual complaints.

So the consumer is left with no means of resolution other than the courts. He could go the small claims court (which will mean he has to shell out more money!). The claim is unlikely to be disputed and he will probably succeed in getting a judgement. The problem then is in getting the judgement satisfied. Most of these companies have a headquarters address which is nothing more than an a post office box. There are no assets to track down and there is no property to put a charge on.

Given the huge volume of complaints about these services, an ombudsman service is urgently required.

PSA Consultation on Business Plan 2018/19

The regulator is currently consulting on its business plan for 2018/19. The PSA seem to live in  bubble where they are unaware of the scale of consumer dissatisfaction. It is estimated that only about 2% of defrauded consumers take the time to make a complaint. Whilst the regulator lacks effectiveness, they continue to pat themselves on the back for doing a good job!

https://psauthority.org.uk/blogs/2017/december/consultation-on-our-business-plan-and-budget-2018-19

I am making a submission as an interested consumer and I would urge others to do the same. The regulator needs to understand that there is a serious problem here and that consumers need a reliable method of obtaining a resolution when they dispute a Payforit transaction.

My response to the consultation can be read here.

The closing date for responses is 26th January 2018. Instructions for submitting responses are in section 8 of the consultation document, and are also reproduced below.

8. Consultation Process
8.1. Please structure your consultation response as answers to the following questions:

Q1 – Do our plans for 2018/19 sufficiently deliver our role as a regulator? What else do you think we should be doing or not doing?

Q2 – Do you have any comments on the proposed budget for 2018/19? If you recommend any changes, please clearly identify which areas of activity you expect this to impact upon.

Q3 – Do you have any comments on the proposed levy for 2018/19?

Q4 – What is your view on the estimated size of the market for 2018/19?

Q5 – Do you have any other comments on the Business Plan and Budget 2018/19?

8.2. We plan to publish the outcome of this consultation and to make available all responses received. If you want all, or part, of your submission to remain confidential, please clearly identify where this applies along with your reasons for doing so.

8.3. The closing date for responses is 26 January 2018, which is designed to allow the time necessary to issue notices regarding changes to the levy in good time for the start of the financial year on 1 April 2018.

8.4. Where possible, comments should be submitted in writing and sent by email to: pbarker@psauthority.org.uk
Copies may also be sent by mail to:
Peter Barker
Director of Corporate Services and Operations
Phone-paid Services Authority
25th Floor, 40 Bank Street
Canary Wharf
London E14 5NR
Tel: 020 7940 7405
If you have any queries about this consultation please telephone or email Peter Barker using the above contact details.

My response to the consultation. Feel free to use this as a model if you also wish to make a response.

Been scammed – Here’s how to complain to the Phone-paid Services Authority

 

Even if you have received a refund, you should still complain. It it contrary to the PSA Code of Conduct to sign people up for these services without their consent and these companies need to be shut down quickly. Your complaint may help others.

You can complain if you feel that the PSA guidance on consent to charge has not been followed.

Before complaining you need to know the following.

  1. The premium rate service the number relates to. This can be retrieved either from your text message confirmation or your phone bill.
  2. The name of the company providing the premium rate service.
  3. Your personal details, such as your name, address and contact details.
  4. The name of your phone or mobile network.

You do not need to attach a copy of your phone bill to make a complaint to PSA.

To make a complaint:

Go to the number checker on the PSA website: https://psauthority.org.uk/about-us/number-checker.

Put in the shortcode you are complaining about and click ‘Check it!’. You may need to complete a Captcha challenge in order to proceed to the next stage.

The next screen shows details of the company(s) responsible for the shortcode. Towards the bottom of the page there is ‘If you are unsatisfied with the outcome from the service provider, please get in touch with us here.’. Click on ‘here’ and you will be taken to the complaint form.

The more information you can include in your complaint, the easier it will be for PSA to take action.

If you find the online process too cumbersome you can complain by ‘phone on 0300 30 300 20 (Monday – Friday, 9.30am – 5pm, excluding bank holidays). This is charged as a normal landline call.

You can also contact them via Facebook messenger to ask questions, although you cannot submit a complaint this way.

If you still have problems making a complaint, contact me through this site for help.

If PSA try to discourage you from complaining, for example by insisting that you ask the company for details of how you signed up, be insistent. It is their job to investigate, not yours! Don’t forget you can message PSA on Facebook or Twitter and these conversations can be seen by the public!

You can also leave a review of PSA at https://www.facebook.com/pg/psauthority/reviews/

Having problems with your complaint to PSA?

Payforit Sucks – Here’ s Why

Welcome

Welcome to Payforit Sucks. This site is dedicated to highlighting the security issues with the Payforit system implemented by all of the major UK mobile networks.

What is Payforit?

Payforit is a mobile payment scheme which was originally set up by the four “big” UK mobile network operators, EE, O2, Three and Vodafone. The Mobile Virtual Networks like GiffGaff, Virgin and Tesco are not directly involved but are consulted and share in the profits.

It allows subscribers to purchase goods and services, directly from their mobile phone. Purchases made through Payforit are charged depending on whether the subscriber is on a pre-paid (or “Pay as you go”) plan, or whether they are on a pay-monthly plan.

In the case of a subscriber on a pre-paid plan, the charge will be deducted from the subscriber’s credit or airtime. If the subscriber is on a pay-monthly plan, then the charge will be added to their monthly phone bill.

How does Payforit work?

Payforit provides the facilities to bill mobile users directly through their mobile phone. There are two common methods, single-click billing and Wi-Fi billing.(1)

Single-click billing works only when the subscriber is browsing via their mobile data, and cannot work if the subscriber is using Wi-Fi. With single-click billing, all the subscriber needs to do is simply to click or tap a button, and the charge is immediately made. The phone number is automatically detected over mobile data, which is used for the billing of premium-rate services.

With Wi-Fi billing, things become more complicated. It is not currently possible to detect a subscriber’s mobile phone number through a Wi-Fi connection (unless it’s a “personal hotspot”, or mobile broadband connection, in which single-click billing applies instead), so the Payforit system will request the phone number of the subscriber. The subscriber enters their phone number, and a text is sent to that number with a confirmation code. The confirmation code needs to be entered into the Payforit system, in order to authorise the charge.

Stop Payforit helping thieves

So what’s the problem?

Briefly, when browsing or using Apps on a 4G network, this ‘service’  is capable of passing your phone number to a rogue trader and then allowing them to take money directly out of your phone account. Many consumers are unaware that this can happen and are shocked when they become the victim of one of these scams.

Payforit can be abused by scammers, especially in the single-click scenario, mentioned above. The single-click billing method requires no “real” authorization, other than clicking a link or a button in a web page, whereas the Wi-Fi billing method requires the user to receive a text message, and enter information from that message into a website.

Scammers have found various ways of getting consumers to click on these links. A popular one is to create a pop up box. When you click the X to close the box, you are deemed to have signed up to a subscription costing up to £4.50 per week.

It is also very easy to simulate a user clicking or tapping a button using Javascript. Javascript is client-side (meaning that it runs on your device) code used widely on the internet to provide interactivity with websites. Payforit  can’t tell whether a user willingly clicked or tapped a button, or whether it was done with Javascript code, without the user’s consent. In both cases it will pass the consumer’s phone number to the website and allow them to make charges against it. (2)

Some recent scams have used Apps downloaded from Google Play which contain malicious code which performs a sign up on your behalf. It is impossible to tell from the permissions requested by the App that there is a problem, as all that is required to sign you up is internet access through a mobile network. (3)

Let’s be clear about this, Payforit in itself is not a scam, but it does aid and abet scams and over recent years has been proven to be insecure.

References

  1. Full rules of the Payforit scheme
  2. Adjudication from PSA showing use of Javascript exploits
  3. Article on rogue Apps in Google Play Store