Warning: Use of undefined constant CTF_VERSION - assumed 'CTF_VERSION' (this will throw an Error in a future version of PHP) in /usr/www/users/coralsjgen/wp-content/plugins/ai-twitter-feeds/ai-twitter-feeds.php on line 519

Stealing SA Mobile Users’ Airtime

Subs SMS

Cliff Court – CEO, Coral Tech
22 July 2015

A large number of South African cellphone users are effectively having their airtime stolen by being unwittingly subscribed to mobile services they have no desire to purchase. Because these services typically deduct smaller amounts (e.g. R7.00 per day) from a cellphone airtime, it goes largely unnoticed by the cellphone user, especially those using prepaid airtime, until they finally work out that their airtime is vanishing too quickly.

While R7.00 per day doesn’t sound like much, it translates to ~R210.00 per month. If it takes an average of 4 months for the user to realise there’s a problem, it only takes 1200 people for the companies involved to earn a million Rand. While actual numbers are not available, it’s likely that several thousand cellphone users have been manipulated into such mobile subscriptions, resulting in millions of Rand of their airtime being taken without their approval.

Part of the problem, and something these companies take advantage of, is that these subscriptions pass through multiple players, allowing each one to pass the blame onto the next in the chain, until one is unable to reach an accountable party. This issue has been reported many times in the press, but because it’s so complicated, no-one has provided the full “value-chain” and called out the various parties involved. This post makes an effort to provide a more complete story behind this issue.

Sorry it’s a bit long, but we’re talking about millions of Rand being taken here.

So how does it work? First they spam as many people as possible – either by SMS or through making up a false offer that gets shared through Whatsapp. Here’s an example. In March I received an SMS that said the following (the x’s are there to hide certain information)

“Someone sent you a Photo MMS message! Open it on www.xxx.me/1/1.php?m=xxxxxxxxx and click SUBSCRIBE. (FREE MSG) xxxxx.me to optout smsStop”

The average recipient will think they’ve received something of interest – even though most cellphones are able to receive MMS messages containing photos without clicking a web link. The user then clicks on the link and is taken to a mobile website where they see the SUBSCRIBE button. Some such sites may even have wording to indicate that they are subscribing to a service for R7.00 per day but it is often either in very small print, greyed-out or deliberately confusing e.g. 7R/d. The result is a percentage of users still go ahead and click the SUBSCRIBE button.

Depending on the network, this triggers a process called “double opt-in” whereby the mobile operator (Vodacom, MTN etc) now displays a web page on the phone that asks the user to confirm they are wanting to subscribe at R7.00 per day for the service. At this point, many people should realise they don’t want this service, but again, a certain percentage still choose to accept, still not understanding the implications of their action. They are then shown some image (the so-called Photo MMS) that is typically not at all interesting to them. The user then simply exits the site and forgets about it – until months later when they’ve had hundreds of Rand taken from their account.

This double-opt-in system was originally introduced by Vodacom as a mechanism to try and reduce these types of subscriptions, but clearly it has only been partially successful. A quick use of Google shows that Facebook, hellopeter.co.za and reportacrime.co.za have lots of posts of those complaining they have fallen victim to these unwanted services.

The cellphone industry has an association called WASPA (Wireless Application Service Provider Association), which was set up to address various mobile service matters relating to WASPs, including this kind of issue. I know that WASPA has genuinely good intentions in wanting to protect mobile users and maintain the good name of WASPs in South Africa. They developed a code of conduct, by which WASPs must comply, otherwise they risk potentially being fined tens of thousands of Rand.

While the WASPA conduct rules set out to protect mobile users, part of the problem is that these rules are created by some of the very WASPs that operate these services. One of the most effective rules for these WASPs is that a WASP cannot be held responsible for a breach of the conduct rules, if they were acting on behalf of another WASPA member. So if a WASP takes money from a user’s airtime (a process called OBS or EBB) on behalf of another member of WASPA, any breach of the conduct rules linked to their actions simply gets passed onto the other WASPA member.

And that’s how these companies manage to avoid any sanction. These “other” WASPA members are effectively uncontactable, while the local WASPs who operate the services pretend they are unaware of what’s going on – the “I was just following orders” defence.

In the case of my SMS example above, it directly breaches a number of WASPA conduct rules, but primarily it does not warn the recipient that the offered (and unsolicited) service will charge you R7.00 per day. It’s fairly easy to find the WASP behind the sent SMS as one can look up the sending number using smscodes.co.za. I then submitted a formal complaint to WASPA who, to their credit, efficiently adjudicated the complaint, but only to rule that because the message was sent on behalf of another WASPA-registered company, according to their rules, they could not take action against the WASP in question but recommended investigating the other company for possible breach.

So I decided to investigate this other WASPA-registered company myself. The more I looked into this company, the more dodgy it became. Firstly there is no way to contact this company other than using a form on their website. Their domain is registered in Hong Kong and their website in Croatia – no real issue there. But their registered address is in Belize, which is certainly unusual, but even more so since the company address given is in fact that of the Belize National Bank!

So the fact of the matter is that one cannot reach a human at this company, because it is bogus and doesn’t really seem to exist!This is really helpful (to them) if WASPA, or anyone else, tries to go after them legally. As for the local WASP that both sends the promotional SMS messages to fool mobile users into subscribing, as well as the company that actually takes money from the user’s airtime, they simply throw up they hands and say “we were doing it for the other WASPA member”.

If a mobile user wants to shut down the service, there is a way to unsubscribe them from the subscription – although not it’s not that easy. The networks offer their own services to unsubscribe. Vodacom allows users to SMS a “STOP ALL” message to 30333, while MTN has a USSD string (*141*5#), and so does Cell C (*133*1#). There have been conflicting stories as to how effective these unsubscribe services work. In theory, if you can figure out which WASP to call, you can phone them and get them to unsubscribe you.

Having initially struggled to find it,  I called the SA phone number linked to the subscription offer I received, and after some cajoling, was told that unsubscribe requests are sent to an email address in Spain. A bit more effort discovered that there are at least 2 companies that operate out of Spain that run these, in my opinion, mobile scams in South Africa, but also in other countries e.g. Kenya. They have other bogus WASPA-registered companies as well so they can run the scams using other vehicles if one if forced to shutdown.

So who is ultimately to blame for the loss of millions of Rand of airtime from South African mobile users? The answer is “all of the above” to the lesser or greater degree. The networks (Vodacom, MTN, Cell C and Telkom Mobile) typically earn 30%+ each time that R7.00 is taken from the airtime for these subscriptions. While the networks have introduced the double-opt-in system to try and reduce these schemes, there are many reports that when users complain about these unwanted subscriptions, the networks’ call centres simply tell the user to contact the WASP linked the service. So the networks wash their hands of the problem while earning 30%+ of the revenues.

WASPA and most of its members genuinely want to act in the best interests of the mobile user and the WASP industry, but they allow the WASPs associated with these schemes to manipulate the WASPA conduct rules so that, effectively, these practices can continue without much restraint.

In my opinion, the local South African WASPs that operate the subscriptions services – specifically the outbound promotional SMS messages and, more importantly, the collection of airtime (the R7.00 per day), ostensibly on behalf of the “other” WASPA member, know exactly what is happening but turn a blind eye because the business is so lucrative. I believe there are just as liable as the main party.

Finally there is the company that is actually behind these subscription services. These people hide behind bogus companies apparently dotted around the world, ensuring it is both very hard to get out of the subscription, but more importantly to be come almost impossible to go after legally.

I believe that South Africans are having millions of Rand effectively stolen from them via their mobile airtime, using a mechanism supported directly by the local mobile networks and WASPs. This should be stopped immediately by the networks and by the Government, who should be looking after the interests of the consumer, and yet this type of issue is barely covered in the Consumer Protection Act. There are some legitimate subscription services such as music streaming, but these are typically not paid for using airtime – and shouldn’t be.

At the risk of over-regulating, I feel all the networks should shutdown airtime subscription services (so-called OBS or EBB). It is simply not OK to allow millions of Rand to be taken from unsuspecting mobile users.

July 22nd, 2015|