The PayForIt system is a payment system designed to allow quick and easy payment via a user’s mobile phone account. Any payments taken through the system are charged to the user’s mobile phone bill. This can be done by subtracting the payment amount from a user’s balance if they are on a pay as you go SIM or via adding the payment amount to the user’s monthly bill if they have a contract with the network. The scheme would allow phone carriers to successfully join the payment processing industry which was worth $1.9 trillion in 2017.
In order for mobile networks to take payments via the PayForIt process, a payment flow must be followed by companies wishing to take payment via the service. A user must “Double Opt-In” to make a payment. The service allows for one-off payments as well as recurring payments, either weekly or monthly. Two different systems exist for PayForIt; one which is designed to work via 3G/4G connections and another which works by using Wi-Fi. Both methods require the use of a phone number to make a payment.
An issue that was raised to SureCloud was the method in which third-party companies providing products and subscriptions are using to obtain a user’s mobile phone number. SureCloud can confirm that no known method currently exists where any website can retrieve a user’s phone number by interacting with the user’s mobile phone’s operating system. After reviewing the process of a PayForIt transaction, it was determined that the mobile device was not sending its phone number via any kind of request to the service provider. After reviewing the technical specifications of how PayForIt functions, it was discovered that the service sends a request with the users IP address to a “Level 1” provider, which can process the payment and identify mobile users phone numbers via their external IP address. The Level 1 providers can interact with phone carriers, sending a request containing the payee’s IP address and returning a unique identifier known as MSISDN, which is the international dialing code of the user as well as their mobile phone number.
This method requires a user to enter a mobile phone number and enter a pin which is then sent to them via SMS text message or call an automated number, due to being unable to gain access a user’s MSISDN. This method allows users to confirm that they are indeed signing for a service and provides the best level of protection to the consumer. A potential hostile actor could not attempt to “trick” a user into signing up for a service as they must enter an SMS code or make a phone call in order to complete the payment/subscription. The disadvantage of this method is the inconvenience to the user as the user must close/minimize their web browser and then return to complete payment.
This method is designed to be simpler and allow for very convenient payment of one-off and subscription services. This method does have a “Double Opt-In” requirement by having the user click on a “Pay Now” or “Subscribe” button and then asking the user to click an additional button to confirm the subscription to the service. Companies can gain access to a unique identifier for the user (MSISDN, also known as a phone number) by using the customers IP address and sending a request to a Level 1 Provider which will interact with phone carriers and retrieve the user’s phone number. This allows for users to pay for services without having to enter any details such as name, address or postcode.
While this method is a very convenient way for the user to pay for a service/subscription, such a system allows for easy accidental purchase or fraudulent activity to take place. Variations of this service exist for specific uses, such as in-app purchases, gambling, and competition based services. This post will focus on the one-off payment and subscription options which complaints have been made to various media outlets and mobile phone carriers.
The flow process for PayForIt can easily be defined in a few simple steps. Below is a simple explanation of how the service works when being accessed via a 3G/4G connection and.
Once these steps have been completed, a purchase/subscription has been successfully achieved, and payment is taken from the user.
Since this service has been launched, a very large amount of accusations about the service being used for fraudulent activity have been made. Hundreds of posts on the cell carrier’s forums, as well as in other areas of social media such as Twitter, Facebook, and Reddit have reported that the service is being used to charge customers who have had no intention of making a purchase.
Various media outlets have reported on this issue, as well as the BBC Watchdog program investigating the problem. The consensus is that the majority of payments being used by the service have been made fraudulently without the users being aware.
This exploit method requires the use of a HTML feature known as iFrames. iFrames allow for multiple web pages to be contained in different sections within one webpage. An exploit method that takes advantage of this is known as clickjacking.
Clickjacking is a method of loading one web page containing sensitive functionality, such as adding an additional user to a bank account and setting the transparency of the page to become invisible, while loading an alternative web page underneath the invisible page with legitimate looking functionality. An attacker’s intention with this attack method is for a user to interact with the page without knowing they are interacting with their online banking account.
This method could be used to trick users into clicking on the subscribe and confirm buttons twice due to the simplicity of PayForIt via a 3G/4G connection. An example could be a simple button which could contain any text, such as “Click here to close,” which would require to be pressed twice. An example of such an attack would start with taking a copy of the original PayForIt page, as can be seen below:
By overlaying the legitimate PayForIt site on top of a different website via an iFrame, it’s possible to “redress” the website to make it look how an attacker wishes. For example, an attacker could add a “Close Here” or “Continue” button hoping the user would click on the button thinking without being aware of the underlying page.
In the example below, both frames are loaded into a web browser, with the transparency of the PayForIt website set to 50%.
By altering the transparency of the PayForIt websites frame, it’s possible to make it disappear entirely while overlaying a fake button over the top. This would hide any indication that the user is agreeing to subscribe to a paid service:
The second button could be a confirmation button asking the user to close the advert. While the user may think this is just a ploy to try and keep them viewing an advert, it would actually result in the payment/subscription button and confirmation button being pressed, which would result in the payment flow being fully followed and a transaction would occur.
This attack method could be utilized by a malicious company acting fraudulently. Or, if the company has an affiliate program in place, affiliate partners could use this method in combination with a method of controlling mobile web traffic to generate fraudulent purchases in the hopes of gaining a high amount of commission.
SureCloud has performed hundreds of penetration tests every single year and continues to find XSS vulnerabilities still present in both bespoke made web applications as well as corporate products and software solutions that are in use by companies all around the world. Despite the cybersecurity industry highlighting the problem consistently, the issue still plagues many of the websites that are currently in use by both the public and private companies. A malicious actor could leverage such a vulnerability to exploit a service landing page, so payments are taken upon the page being visited.
An interesting attack vector discovered during this research service was the method by which PayForIt uses to identify mobile users. Since the service can only rely on a user’s IP address to give a level 1 payment provider a unique identifier for the user via their phone number, the consultant allocated to this research decided to perform an experiment using the use of a mobile Wi-Fi hotspot.
The consultant used his Galaxy S8 phone and set up a Wi-Fi hot spot and connected his Nexus 4 phone (With no sim card) to the hotspot and then accessed the “www.hdwallapapers.shop” URL.
The web application responded to the consultant’s test phone (Nexus4) stating that a payment could be placed. The flow was followed, and a subscription request was put in. The website responded stating that the payment been made and the consultant was forwarded onto the websites premium content section and an SMS message was sent to the Galaxy S8 phone saying they had been subscribed to the service.
It is highly likely that if a user found an open mobile hotspot (Typically named AndroidAP on Android devices), they could connect to the hotspot and access a PayForIt service and finish the payment flow process. The hotspot owner would be charged for the payment as the service cannot distinguish if a connected device was the originator of the payment due to only being able to use the hotspots external IP address as a unique identifier for the payee.
This issue is potentially a major flaw in the concept of the payment service. The service should not rely on an IP address alone to identify the payee of services.
Each Level 1 PayForIT provider should operate from an SMS shortcode. This five-digit code acts like a phone number and can be contacted via SMS and should stop all subscriptions for that specific shortcode if the word “STOP” is sent to it.
Webmasters of PayForIt services can use a header known as “X-Frame-Options” to prevent their landing pages from being embedded using iFrames. Web servers can send “Security Headers” in response to HTTP requests alongside the web page content which can enact further security within a user’s web browser. The “X-Frame-Options” header will allow for this to happen. If an attacker attempted a clicking attack, the payment website would not render in the user’s web browser, rendering the attack useless. This can help providers of PayForIt services as well as consumers from being victim to attacks by malicious affiliate partners. Adding this header to a webservers configuration is trivial, and 100’s of guides on this subject are available across various websites.
An organization known as PhonepayPlus are responsible for the PayForIt system and have a complaints procedure if consumers have issues with unauthorized purchases appearing on their phone bills. The authority has successfully fined and taken other disciplinary action against malicious operators of PayForIt services in the past.
The Payment Service Authority provides a service where it is possible to lookup the SMS shortcode that PayForIt providers use when sending text messages. This will be in the form of 5 single digits, EG 81343. The link above allows users to lookup which company is sending them text messages and provide the appropriate contact information.
Three of the six major networks support blocking PayForIt services from being able to take place. Putting a bar on “Charge to Bill” services will prevent PayForIt and any other “Pay via Phone Bill” services from conducting transactions using your carrier account.
|O2||Contact customer support services|
|EE||Contact customer support services|
|Vodafone||Can be set online or contact customer support services|
|GiffGaff||No Support – Customer support can remove balance and credit to user’s bank account to prevent payments being taken.|
|Tesco Mobile||Contact customer support services|
The website above can be used to lookup mobile charge to bill subscriptions users have signed up to. The service works by asking a user to enter their mobile phone and an SMS pin which is sent to their mobile. This service will allow users to look up which subscriptions they currently have active. This can help users who have unknowingly signed up to multiple services and provide assurance that any actions they have taken to try and stop unsolicited premium rate charges on their account have been enacted.