Overview of PayForIt

The PayForIt system is a payment system designed to allow quick and easy payment via a user’s mobile phone account. Any payments taken through the system are charged to the user’s mobile phone bill. This can be done by subtracting the payment amount from a user’s balance if they are on a pay as you go SIM or via adding the payment amount to the user’s monthly bill if they have a contract with the network. The scheme would allow phone carriers to successfully join the payment processing industry which was worth $1.9 trillion in 2017.

In order for mobile networks to take payments via the PayForIt process, a payment flow must be followed by companies wishing to take payment via the service. A user must “Double Opt-In” to make a payment. The service allows for one-off payments as well as recurring payments, either weekly or monthly.  Two different systems exist for PayForIt; one which is designed to work via 3G/4G connections and another which works by using Wi-Fi. Both methods require the use of a phone number to make a payment.

Identification of Mobile Phone number (3G/4G)

An issue that was raised to SureCloud was the method in which third-party companies providing products and subscriptions are using to obtain a user’s mobile phone number. SureCloud can confirm that no known method currently exists where any website can retrieve a user’s phone number by interacting with the user’s mobile phone’s operating system.  After reviewing the process of a PayForIt transaction, it was determined that the mobile device was not sending its phone number via any kind of request to the service provider. After reviewing the technical specifications of how PayForIt functions, it was discovered that the service sends a request with the users IP address to a “Level 1” provider, which can process the payment and identify mobile users phone numbers via their external IP address. The Level 1 providers can interact with phone carriers, sending a request containing the payee’s IP address and returning a unique identifier known as MSISDN, which is the international dialing code of the user as well as their mobile phone number.

Payment Options for Wi-Fi and 3G/4G Connections

Wi-Fi Data Connection

This method requires a user to enter a mobile phone number and enter a pin which is then sent to them via SMS text message or call an automated number, due to being unable to gain access a user’s MSISDN. This method allows users to confirm that they are indeed signing for a service and provides the best level of protection to the consumer. A potential hostile actor could not attempt to “trick” a user into signing up for a service as they must enter an SMS code or make a phone call in order to complete the payment/subscription. The disadvantage of this method is the inconvenience to the user as the user must close/minimize their web browser and then return to complete payment.

3G/4G Connection

This method is designed to be simpler and allow for very convenient payment of one-off and subscription services. This method does have a “Double Opt-In” requirement by having the user click on a “Pay Now” or “Subscribe” button and then asking the user to click an additional button to confirm the subscription to the service. Companies can gain access to a unique identifier for the user (MSISDN, also known as a phone number) by using the customers IP address and sending a request to a Level 1 Provider which will interact with phone carriers and retrieve the user’s phone number. This allows for users to pay for services without having to enter any details such as name, address or postcode.

While this method is a very convenient way for the user to pay for a service/subscription, such a system allows for easy accidental purchase or fraudulent activity to take place. Variations of this service exist for specific uses, such as in-app purchases, gambling, and competition based services. This post will focus on the one-off payment and subscription options which complaints have been made to various media outlets and mobile phone carriers.

Flow of PayForIt Process for 3G/4G Connections

The flow process for PayForIt can easily be defined in a few simple steps. Below is a simple explanation of how the service works when being accessed via a 3G/4G connection and.

1. User accesses a HTML document to process the payment request. This document must outline the cost model of the purchase as well as a method to stop subscriptions if it is a subscription service.
2. The web server hosting the document will send a request to a Level 1 provider who will in turn request the users MSISDN (Phone number) from the user’s phone carrier network in order to aid in identifying the user. This process takes place with no interaction from the user.
3. The user must click on a “Purchase Now” or “Subscribe Now” button to start the payment process.
4. A confirmation button/dialog box must appear next, which the user must also click on to complete the payment process.
5. A confirmation message that the user has successfully signed up for the service must be displayed.
6. An SMS message informing the user they have subscribed and a method of deactivating any kind of subscription service must be presented to the user via an SMS text message, such as “Text STOP to 80010 to cancel the service.”

Once these steps have been completed, a purchase/subscription has been successfully achieved, and payment is taken from the user.

Accusations of Fraudulent Activity

Since this service has been launched, a very large amount of accusations about the service being used for fraudulent activity have been made. Hundreds of posts on the cell carrier’s forums, as well as in other areas of social media such as Twitter, Facebook, and Reddit have reported that the service is being used to charge customers who have had no intention of making a purchase.

Various media outlets have reported on this issue, as well as the BBC Watchdog program investigating the problem. The consensus is that the majority of payments being used by the service have been made fraudulently without the users being aware.

SureCloud’s Research of the PayForIt Service

A SureCloud consultant was assigned to research into this activity after the BBC contacted SureCloud. After finding various examples of mobile adverts containing PayForIt functionality, our consultant has discovered that affiliate marketing schemes have existed for the companies providing services and products using PayForIt. As these services exist to allow third parties to claim commission by securing signups/purchases, an incentive is there for bad actors to make the use of cybersecurity vulnerabilities within the user’s web browsers. The level 2 provider of these services would be unaware that malicious activity has been taking place before a large number of complaints are made to themselves and the relevant authority. It is also possible for the Level 2 providers to act maliciously, using JavaScript to make a consumer automatically click the payment/subscription button and the confirmation button without a user being aware.

Exploit Scenarios

Exploit #1: Clickjacking via iframes

This exploit method requires the use of a HTML feature known as iFrames. iFrames allow for multiple web pages to be contained in different sections within one webpage. An exploit method that takes advantage of this is known as clickjacking.

Clickjacking is a method of loading one web page containing sensitive functionality, such as adding an additional user to a bank account and setting the transparency of the page to become invisible, while loading an alternative web page underneath the invisible page with legitimate looking functionality. An attacker’s intention with this attack method is for a user to interact with the page without knowing they are interacting with their online banking account.

An example of what this may look like is below:

This method could be used to trick users into clicking on the subscribe and confirm buttons twice due to the simplicity of PayForIt via a 3G/4G connection. An example could be a simple button which could contain any text, such as “Click here to close,” which would require to be pressed twice. An example of such an attack would start with taking a copy of the original PayForIt page, as can be seen below:

By overlaying the legitimate PayForIt site on top of a different website via an iFrame, it’s possible to “redress” the website to make it look how an attacker wishes. For example, an attacker could add a “Close Here” or “Continue” button hoping the user would click on the button thinking without being aware of the underlying page.

In the example below, both frames are loaded into a web browser, with the transparency of the PayForIt website set to 50%.

By altering the transparency of the PayForIt websites frame, it’s possible to make it disappear entirely while overlaying a fake button over the top. This would hide any indication that the user is agreeing to subscribe to a paid service:

The second button could be a confirmation button asking the user to close the advert. While the user may think this is just a ploy to try and keep them viewing an advert, it would actually result in the payment/subscription button and confirmation button being pressed, which would result in the payment flow being fully followed and a transaction would occur.

This attack method could be utilized by a malicious company acting fraudulently. Or, if the company has an affiliate program in place, affiliate partners could use this method in combination with a method of controlling mobile web traffic to generate fraudulent purchases in the hopes of gaining a high amount of commission.

Exploit #2: Malicious JavaScript

Another attack method which could occur is if the landing page is vulnerable to cross-site scripting (XSS) vulnerability, or if a malicious, fraudulent company is running the service. It would be possible for either an affiliate partner, attacker or the company to deliberately try and cheat the flow process by using malicious JavaScript to force a user’s web browser to click the button twice. An affiliate partner or a malicious attacker would need the landing advertisement page to be vulnerable to an XSS vulnerability which would allow a third party to inject their own HTML, including JavaScript into the page.

SureCloud has performed hundreds of penetration tests every single year and continues to find XSS vulnerabilities still present in both bespoke made web applications as well as corporate products and software solutions that are in use by companies all around the world. Despite the cybersecurity industry highlighting the problem consistently, the issue still plagues many of the websites that are currently in use by both the public and private companies. A malicious actor could leverage such a vulnerability to exploit a service landing page, so payments are taken upon the page being visited.

Exploit #3: Open Wi-Fi Hotspot

An interesting attack vector discovered during this research service was the method by which PayForIt uses to identify mobile users. Since the service can only rely on a user’s IP address to give a level 1 payment provider a unique identifier for the user via their phone number, the consultant allocated to this research decided to perform an experiment using the use of a mobile Wi-Fi hotspot.

The consultant used his Galaxy S8 phone and set up a Wi-Fi hot spot and connected his Nexus 4 phone (With no sim card) to the hotspot and then accessed the “www.hdwallapapers.shop” URL.

The web application responded to the consultant’s test phone (Nexus4) stating that a payment could be placed. The flow was followed, and a subscription request was put in. The website responded stating that the payment been made and the consultant was forwarded onto the websites premium content section and an SMS message was sent to the Galaxy S8 phone saying they had been subscribed to the service.

Nexus 4 phone connected to the Galaxy S8’s Wi-Fi hot spot:

Payment flow process followed:

SMS received on Galaxy S8 smart phone confirming registration to HDWallPapers:

It is highly likely that if a user found an open mobile hotspot (Typically named AndroidAP on Android devices), they could connect to the hotspot and access a PayForIt service and finish the payment flow process. The hotspot owner would be charged for the payment as the service cannot distinguish if a connected device was the originator of the payment due to only being able to use the hotspots external IP address as a unique identifier for the payee.

This issue is potentially a major flaw in the concept of the payment service. The service should not rely on an IP address alone to identify the payee of services.

Solutions

Text STOP

Each Level 1 PayForIT provider should operate from an SMS shortcode. This five-digit code acts like a phone number and can be contacted via SMS and should stop all subscriptions for that specific shortcode if the word “STOP” is sent to it.

X-Frame-Options Header

Webmasters of PayForIt services can use a header known as “X-Frame-Options” to prevent their landing pages from being embedded using iFrames. Web servers can send “Security Headers” in response to HTTP requests alongside the web page content which can enact further security within a user’s web browser. The “X-Frame-Options” header will allow for this to happen. If an attacker attempted a clicking attack, the payment website would not render in the user’s web browser, rendering the attack useless. This can help providers of PayForIt services as well as consumers from being victim to attacks by malicious affiliate partners. Adding this header to a webservers configuration is trivial, and 100’s of guides on this subject are available across various websites.

Payment Service Authority

An organization known as PhonepayPlus are responsible for the PayForIt system and have a complaints procedure if consumers have issues with unauthorized purchases appearing on their phone bills. The authority has successfully fined and taken other disciplinary action against malicious operators of PayForIt services in the past.

Investigate Shortcode

The Payment Service Authority provides a service where it is possible to lookup the SMS shortcode that PayForIt providers use when sending text messages. This will be in the form of 5 single digits, EG 81343. The link above allows users to lookup which company is sending them text messages and provide the appropriate contact information.

Charge to Bill Bar

Three of the six major networks support blocking PayForIt services from being able to take place. Putting a bar on “Charge to Bill” services will prevent PayForIt and any other “Pay via Phone Bill” services from conducting transactions using your carrier account.

MobilePaymentSupport – https://mobilepaymentsupport.com

The website above can be used to lookup mobile charge to bill subscriptions users have signed up to. The service works by asking a user to enter their mobile phone and an SMS pin which is sent to their mobile. This service will allow users to look up which subscriptions they currently have active. This can help users who have unknowingly signed up to multiple services and provide assurance that any actions they have taken to try and stop unsolicited premium rate charges on their account have been enacted.