JOHANNESBURG – Clients of MTN and Cell C are sitting ducks when it comes to wireless application service providers (Wasp) fraud. I know this because I was a (willing) victim to this type of fraud on two of my SIM cards this past weekend.
In this instance, Wasp fraud refers to the subscription of a cellular number to a service without the owner’s permission.
Wasps provide services to cellphone users. They often charge a daily rate – usually between R2.50 and R7 a day.
This story starts with a Moneyweb reader who goes by the pseudonym Ajax. Earlier this year, Ajax fell victim to apparent Wasp fraud. He discovered more than R300 missing from an account held with Cell C. Ajax had been charged R7 a day for a service called Kulaville. Kulaville allows users “to share and rate photos and also to meet and chat with people near you.” This description sounds awfully similar to Facebook, which costs R0 a day.
Ajax was 100% certain he had not subscribed to Kulaville. But when he complained to Cell C, which had deducted the money on Kulaville’s behalf, it did not assist him.
Despite numerous complaints, Cell C and Kulaville’s agent, Mira Networks, were simply no help. As far as they were concerned, Ajax had requested the service, and that was the end to it. Mira Networks and Kulaville even provided Ajax with ‘proof’ that he had subscribed.
Ajax enlisted Moneyweb’s assistance. It took Cell C more than a month to respond to this journalist’s questions, but when it did, it conceded that Ajax was right all along; he had never asked to be subscribed to Kulaville. For more, see: Cell C took client’s money without permission.
Kulaville blamed Ajax’s subscription on a ‘technical error.’
The large number of online complaints against Kulaville and other Wasps suggests that ‘technical errors’ of this nature are unacceptably common. The majority of complainants deny requesting the services they were charged for.
Ajax was outraged by Cell C’s failure to protect him and others from abuse from the likes of Kulaville. He spent some time researching the Wasp industry. It did not take him long to discover how vulnerable MTN and Cell C subscribers are to fraud.
At this point readers may be wondering why Vodacom clients are not at risk. Vodacom is the only network that verifies its clients’ subscription to services. This verification system was introduced more than a year ago. Vodacom spokesman Richard Boorman tells Moneyweb that the introduction of this system resulted in a sharp decline in Wasp-related complaints. This decline in complaints suggests that Wasp fraud is more endemic than some networks would have you believe.
Other networks don’t verify subscriptions. They simply take the Wasp’s word for it. Thus, all a Wasp needs to say to MTN is: “This number subscribed to a content service, please start deducting R7 a day,” and MTN will comply.
Through some experimentation with his own prepaid SIM cards, Ajax discovered that it is possible to subscribe any MTN or Cell C client to a Wasp “service” without their permission. He invited me to try it.
On Friday June 21 I bought two prepaid SIM cards, one each from MTN and Cell C and loaded them with airtime. I also registered each SIM card on the websites of each of their respective networks to allow viewing of their airtime balances online.
After each SIM was registered, I removed it from the phone. Then I sent my newly acquired phone numbers to Ajax, and gave him permission to attempt to sign them up for services without my actually requesting them.
It took Ajax a few minutes to subscribe my MTN number to a service called “Club EnterFactory” billed at R5 a day. I went online and sure enough, R5 had already been removed from my account by an aggregator (middleman) called Mira Networks. It is worth remembering that this was done while the SIM was outside any device. Thus it could not have received any password, or have confirmed any subscription.
Other subscriptions followed, on both my MTN and Cell C numbers. One of these was a service called Love Guru, billed by middleman Integrat.
I am aware of Ajax’s methods, but for the sake of fellow cellphone users I will not reveal them in this article. Suffice it to say they were astonishingly simple. In one case all that was required was the entry of my network name and cell number on a website – no password was even required.
Ajax thought it appropriate to bring this security concern to my attention before laying formal complaints because “Moneyweb has been able to elicit proper assistance from the networks and Wasps.”
Until MTN and Cell C introduce their own verification systems, their customers will be at risk.
MTN general manager of business indirect Kevin Jacobson says that MTN is currently implementing a technology that will bring greater security to Wasp content services. “It is a token-based billing system that will be the most advanced system of its kind in Southern Africa,” says Jacobson. “The customer remains central in both contracting and controlling their subscription.”
Cell C says it is in the process of appointing a vendor to implement a double opt-in (verification) system. The implementation will be completed in the next few months.