Knowledge Base
Community

Giffgaff, you really need to consider stopping your collaboration with these scammers!

Started by: glaswegianeric
On: 23/12/2018 | 07:13
Replies: 150
Reply

by: glaswegianeric
on: 11/02/2019 | 11:18
@woodyuk

@muggles708 in his most recent answer actually made some very valid points, for example, that some MVNOs choose not to facilitate Payforit at all and that the blocking does happen anyway if there is no credit balance to make the payment.

Lycamobile, for example, doesn't seem to offer premium calls and texts facility (https://www.lycamobile.co.uk/en/faqs/can-send-receive-premium-texts-make-premium-rate-calls-using-ly...). Although there's no mention of Payforit, I wonder if someone could confirm whether it's blocked or not. I'd suspect for it to be blocked.

I highly doubt that for a MVNO to block Payforit, all 4 owners (big MNOs) have to agree to it. I don't know for sure but would be surprised to find out that this is actually the case.
Message 141 of 151
by: jaymailsays
on: 11/02/2019 | 11:29

@muggles708 That is really enlightening.

 

To add to the debate about giffgaff disclosing our number, of course that is accurate, although we can lessen the risk by using a VPN or eliminate it by using WiFi when browsing.

 

However many get caught by installing free apps, similar to A1 Factory, which offer "free" games. To get these free apps you allow access to your number, or you don't get the free version. After a while you forget you gave permission until the dreaded day you find you have entered a payforit Range Rover competition, except you didn't, you were subscribed either accidentally or fraudulently. We can't in this scenario blame the network entirely. We made the decision to install the free app which allows them to almost control our settings.

 

Nothing is ever as simple as it seems at first glance. These Merchants are ingenious when it comes to extracting our money.

 

I agree giffgaff should allow us to block these services from taking our credit but we cannot blame the network in every case for disclosing our number.

Get a free giffgaff Sim
Message 142 of 151
by: harrrrrry
on: 11/02/2019 | 12:21

@glaswegianeric

 


I wonder if Lycamobile or Tesco customers can subscribe to Payforit-run services (even if they wanted to)...

According to https://www.tescomobile.com/help-and-support/pay-monthly/call-charges/premium-rate-calls-and-texts it seems tesco can ... though if you read the page carefully -- even though they're clearly describing the payforit process in one part of the page, they actually seem to be offering to:

 

4. Click Add on Premium Bar for calls and/or Bar Premium SMS MT for texts

 

So, the question remains -- does tesco actually block payforit charges? Is SMS MT another synonym for payforit, or has tesco totally misunderstood the need for payforit blocking, exactly like giffgaff did when it implemeted the call services block on "incoming premium rate texts" before adding the clarifying "only numbers beginning 09" which is total nonsense in relation to incoming texts.

 

Get a free giffgaff Sim

Message 143 of 151
by: jaymailsays
on: 11/02/2019 | 12:36

@harrrrrry SMS MT is Mobile Terminated billing so it is not a payforit service but reverse charge billing.

Get a free giffgaff Sim
Message 144 of 151
by: muggles708
on: 11/02/2019 | 15:13 edited: 11/02/2019 | 15:37

@jaymailsays wrote:

@muggles708 That is really enlightening.

 

To add to the debate about giffgaff disclosing our number, of course that is accurate, although we can lessen the risk by using a VPN or eliminate it by using WiFi when browsing.

 

@jaymailsays

 

In all the cases I have seen recently, the method of the third party acquiring the consumer's number has been the Payforit API.

 

My understanding is that using a VPN will completely eliminate the risk of your MSISDN being exposed through the Payforit API. My own tests have so far  shown this to be the case.

 

@jaymailsays wrote:


 

However many get caught by installing free apps, similar to A1 Factory, which offer "free" games. To get these free apps you allow access to your number, or you don't get the free version. After a while you forget you gave permission until the dreaded day you find you have entered a payforit Range Rover competition, except you didn't, you were subscribed either accidentally or fraudulently. We can't in this scenario blame the network entirely. We made the decision to install the free app which allows them to almost control our settings.

 

The scenario you describe here is not a case of the phone number being exposed by the phone. This is not accepted by the networks a  valid method of consent. In the case you describe, the App is not to blame. Even if it has permissions to your number, it can't use that permission to sign you up to scam charges. The only mechanisms permitted are described in the Payforit rules. Obtaining the MSISDN from the phone isn't permitted. f the MSISDN isn't keyed in by the user (and subsequently verified), then the MSISDN has to be provided by the network.

 

Free Apps usually obtain Ads from external sources, not under the control of the App writer. Sometimes it is these Ads that contain rogue code (or links to pages containing rogue code).  These Ads would not share the permissions of the App that loaded them, but would be rendered as any normal web page.

 

You are correct that users should carefully check the permissions requested by any App. However, the App stores have been quite good at weeding out Apps which ask for inappropriate permissions, particularly those that ask for the user's MSISDN. Rogue Apps can only control the settings that are declared when you install them. You should check these carefully and not install Apps which appear to ask for unnecessary permissions.

 

I have seen numerous rogue Apps in the past year, but they all used the Payforit API to obtain the users MSISDN and did not ask for it from the phone. They would have been weeded out at a much earlier stage if that had been the case. Apps which work by using the Payforit mechanism don't need to have any "suspicious" permissions. They just have to access the internet via mobile data. Some of them will attempt to turn off the WiFi to achieve this.

 

The problem is that the Payforit API is treated as a LEGITIMATE means of obtaining a consumer's number and establishing "consent to charge". It is impossible to tell by looking at the logs whether a "third party" website was intentionally visited, or whether a rogue website or App initiated the visit. In either case the company can commence a subscription, safe in the knowledge that the logs will show what appears to be  valid consent to charge.

 

This consent has been succesfully challenged, but it means the consumer has to go through the Small Claims procedure in order to establish that the consent was most likely fraudulent.

 

If a company began charging a subscription without the logs provided by Payforit, that would be clearly fraudulent. These scam Payforit services tread  fine line bordering on legality, and based ENTIRELY on the cooperation of the networks in providing consumers numbers via the API.

GiffGaff have been aware of these scams for at least three years and have taken no action to protect members.  In the vast majority of cases they are DIRECTLY responsible for exposing the member's MSISDN to the third party company. In the other cases, the consumer has been "tricked" into keying in their MSISDN themselves, usually in order to enter a competition.

Been scammed by 'Payforit'? Need independent advice? Payforit Faq for GiffGaff Customers
Support GiffGaff introducing two factor Authorisation for ‘Payforit’ https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-tex...
Message 145 of 151
by: jaymailsays
on: 11/02/2019 | 15:45 edited: 11/02/2019 | 15:59

muggles708 wrote: <snip>

GiffGaff have been aware of these scams for at least three years and have taken no action to protect members. 

 

@muggles708 To be fair, there are one or two staff sympathetic to stopping payforit subscriptions and the irony is that they are on the payroll of O2, like all staff on here (not including agency workers) They have good intentions at the outset but then quickly realise just how complex stopping the oil tanker is, when the employer part runs the ship they are trying to turn round. 

 

It is a thankless task until somebody in management breaks ranks and commits to bringing in blocking controls. The downside might be that price plans increase to compensate for lost payforit income streams.

Get a free giffgaff Sim
Message 146 of 151
Highlighted
by: h1gsy
on: 11/02/2019 | 15:55
having read your brilliant reply to my £4.50 loss I will take your advice. It also made me think this is a flagrant breach of GDPR, I have not granted permission for my data to be shared like this payment service or third party company (my data being my mobile number ) secondly the fact that EE have stopped this scam with Two factor authentication and a simple pin number just does make you wonder why GiffGaff have not addressed this yet. Many thanks for your concern - I think this would make a lovely news story for breakfast TV, just to help more people protect themselves from this nasty little scam
Message 147 of 151
by: thunderdragon
on: 13/02/2019 | 15:47
JayMailSays wrote:
Muggles708; That is really enlightening. To add to the debate about giffgaff disclosing our number, of course that is accurate, although we can lessen the risk by using a VPN or eliminate it by using WiFi when browsing.
Muggles708 wrote:
JayMailSays; In all the cases I have seen recently, the method of the third party acquiring the consumer's number has been the Payforit API.
My understanding is that using a VPN will completely eliminate the risk of your MSISDN being exposed through the Payforit API. My own tests have so far shown this to be the case.
@jaymailsays @muggles708 The nice thing about that is it means VPN tunnels can be used by technical users to immunise their connections against unauthorised exposure through the Pay4Brexit API...But the sad thing is this only solves the problem for maybe 5-10% of users at best. Many consumers don't even know what a VPN is, and those who do might not be able to configure it in such a way that all headers from the clients network are stripped out whilst passing through the VPN! Smiley Sad

The other thing which makes no sense to me is how GG and other M(V)NOs are managing to insert Pay4Brexit API headers into customers web traffic, given most sites now enforce HTTPS and through this a fully encrypted connection, which'd break if any third-party tried to add data to the packet. Unless client headers are still unencrypted over HTTPS (Which'd be a big security issue, and mean HTTPS couldn't be used for anything governed by GDPR either) the only ways I could see it working at the technical level are:
  • The M(V)NO has access to the Pay4Brexit SSL Private Key for insertion of Pay4Brexit API headers into connections directed at the service, which'd be a betrayal of consumer trust and should render Pay4Brexit legally unable to assert any security or integrity over connections to them.
  • OR: Pay4Brexit code (Embedded widgets etc) are only being served via unencrypted HTTP, which is so damned easy to spoof even a Tory politician could do it. This likewise renders all Pay4Brexit connections to be "Insecure" so far as the law is concerned, and the authenticity of any transaction over such insecure connections would likewise be open to contest.
In either case: If it can't legally be proven that a "Billing request" made via Pay4Brexit did indeed originate from the customers' own device and through the customers Aware, Informed, and Provably Consenting Actions, no transaction thus effected could be held as contractually binding under Law...It'd be a perfectly reasonable challenge to argue that the contract was made by an Impersonator and not the customer themselves, and - In the event of challenge - It would be the burden of Pay4Brexit to prove that the transactor was indeed the contesting customer and not an imposter.

FWIW: Anybody who can bit-bang an HTTP packet together can potentially invoke a Pay4Brexit charge or subscription against whichever mobile number they choose, and untraceably so if they do this via the Tor network. With this in mind (And declaring that I'll archive this page on Archive,org after posting to ensure an impartial record persists in public view) The public disclosure of the security flaws of the Pay4It service (Or as I term it; Pay4Brexit) on this page potentially renders Pay4It unable to assert in Law that any transaction made via their API or service has genuinely been made by the real person against whom such transactions are accounted for and/or billed.

Also - As I'm taking the opportunity to air a public thing or two here (This is, after all, a public forum Smiley Happy ) I'll also share a screenshot of a relevant part of my GG settings page, which has been set this way - To bar ALL "Premium Services" including Pay4Brexit on my account - For over a year to date:
GG-Premium-services-blocked.pngProof of disablement of ALL premium services on ThunderDragons' account.This has the effect of making public that I have made all reasonable attempts to disable all "Premium" services on my GiffGaff account, and in doing so Presents sufficient evidence that any Pay4It connected charge associated with my GiffGaff accounts is Wholly Unauthorised, and through this Entirely Unenforceable under applicable Law.

Anyhow...Sorry for the use of bold and the Off-red above, but I just need these to be clearly visible in any future circumstance where the unauthorised actions of Pay4Brexit and the content of this thread might have to be presented to a court. Smiley Happy
+++ ThunderDragon +++
WARNING: The "Always On" GoodyBag does NOT offer unlimited data. More details Here.

i before e except after Firefox... Smiley Wink                                     German Sausage jokes: They're the Wurst!... Smiley Tongue
Message 148 of 151
by: glaswegianeric
on: 13/02/2019 | 16:11
@thunderdragon @jaymailsays @muggles708

Very good @thunderdragon point re customer putting a block on premium rate services and thus making a reasonable attempt to block any premium rate services including Payforit.

Basically, by putting such a block, a customer would show that he/she unambiguously revokes any consent to be targeted by premium rate services in any known or future shape or form and believes in a good faith that giffgaff's 'tick box' in My Account is the right tool to do that.

What's more, giffgaff did confirm that this was a very tool (see my correspondence with them). 'Staff got no clue' isn't really an excuse as staff should have 100% clue and it isn't really a customer's problem that they don't.

Message 149 of 151
by: muggles708
on: 13/02/2019 | 17:20

@thunderdragon wrote:


In either case: If it can't legally be proven that a "Billing request" made via Pay4Brexit did indeed originate from the customers' own device and through the customers Aware, Informed, and Provably Consenting Actions, no transaction thus effected could be held as contractually binding under Law...It'd be a perfectly reasonable challenge to argue that the contract was made by an Impersonator and not the customer themselves, and - In the event of challenge - It would be the burden of Pay4Brexit to prove that the transactor was indeed the contesting customer and not an imposter.

@thunderdragon @glaswegianeric @jaymailsays

 

Even if there were conclusive proof that a billing request originated from a member's hansdset, it would not be proof of "consent to charge" under the law. There is plenty of evidence that rogue web pages can use Iframng and clickjacking exploits to spoof a legitimate signup. The PSA have even fined companies for doing this!  Take a look at the PSA adjudications for a company called Xplosion. Of course this company failed to pay it's fines of nearly £1,000,000 and made off with the loot!

 

That is why I'm so confident that the law is on the side of any consumer who contests the legitimacy of these Payforit charges. The charges just won't hold up in court!

I've been trying to tempt one of these companies to defend their position in court for the last year, but they always throw in the towel and pay up!

Unless, of course, the "service provider" has followed the PSA advice and has used 2 factor authorisation, which they don't because it would defeat the exploits they are using.

 

Paul

 

Been scammed by 'Payforit'? Need independent advice? Payforit Faq for GiffGaff Customers
Support GiffGaff introducing two factor Authorisation for ‘Payforit’ https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-tex...
Message 150 of 151