Have you been signed up for premium rate services you didn't order? Better check your phone bill…
Most of us are far too wordly wise to ever sign up to a spam texting service. No matter what the dating knowledge, psychic insight or genitalia-enlargement offered, the cost of the service is almost certainly going to outweigh the benefit. Even if that service were free. However, a UK mobile phone user has just discovered that he could sign up anyone he liked to one of these services, after finding fraudulent charges on his bill.
Consultant Mark Hole found charges for a fortune-telling service on the mobile phone bill of his business mobile. Certain he had not bandied around his mobile number in places spamsters could get hold of it, he complained to his service provider, Orange, who shrugged and said he must have signed up and to naff off (or words to that effect). Mr Hole also complained to Buongiorno, the “content maker” behind the iFortune service he was getting without asking.
However, Mr Hole was not your average mug, and decided to investigate how his number had been signed up for the service. Using a Firefox add-on that pretended his computer was an iPhone, Mr Hole found that he could sign up absolutely anyone for premium rate services from content maker Buongiorno with just their mobile phone number and knowing if they were on the Orange network. He went on to demonstrate this by signing up a BBC reporter for the fortune telling service.
Buongiorno described Mr Hole’s investigations as a “bug” and assured the BBC that once they “found out” about it, they “very quickly moved to pin it down, find out what happened and stop it from happening again."
Gareth Maclachlan, head of mobile security firm Adaptive Mobile, told the BBC that Buongiorno was not doing a good enough job of checking which net addresses were making sign-up requests. "There's a potentially criminal opportunity here," he said, describing how hi-tech thieves could set up a fake premium rate service, sign people up and then sit back and wait for cash to roll in.
Information about Mr Hole's findings have been circulated to the GSMA security working group to ensure other operators are aware of the loophole. Buongiorno are convinced the impact of this “loophole” was minimal, but given that Mr Hole’s situation suggests the window was open for at least 14 days, it remains to be seen if other mobile phone users have fallen foul to the same or a similar scheme. So get checking your bills now- and if you find anything, please let us know.