backtop


Print 61 comment(s) - last by lyeoh.. on Oct 26 at 10:28 AM


Premium text messages are a dream come true for scammers.  (Source: Discover)
Industry needs to ban fraud-friendly premium text messages, customers need to preemptively block PSMS

Last year I covered about how some malicious parties were attacking Android users by trying to get access to premium text messages.  But most of these reports were coming from regions like Russia.  I didn't think U.S. telecoms would allow this thing to happen.  I was wrong.

Premium short messaging service (PSMS) messages are the perfect tool for fraud.  Costing as much as $10 per message, they fall under a gray region of U.S. laws.  And as some readers pointed out to me after I wrote this piece originally, telecoms profit off their users being defrauded.

Carriers get 30 to 50 percent of the fee for each premium message the user pays for.  Some companies -- such as AT&T, Inc. (T) -- have adopted stricter guidelines to try to prevent abuse of this technology, but only after they were sued for it [source].  Others -- like Sprint Nextel Corp. (S) -- are still leaving customers wide open for fraud.

I. How I Got Hit By the Frauders

Well, I have discovered first hand that this kind of scam is alive and well here in the states.  And after digging I discovered sadly it's the policies of Sprint-- a company I've typically had only good things to say about because of its low prices and relatively good service -- that allowed this mess to happen in the first place.

It all started with a message from a number "74248" which read, "Guess What?  Instead of a Birthday Cake, many Russian children are given a Birthday Pie"

"Well, that's odd," I thought.

But occasionally I've received odd promotion texts from standard numbers who somehow mined my data.  And I've been condition just to delete or tag spam so I honestly just ignored it.

Over the next couple months more messages rolled in -- at a pace of exactly one message per month.  A couple of the other messages read:

Guess What?  The reason why flamingos are pink is because they eat shrimp which have a red pigment.  For HELP call 18668611606

Guess What? The placement of a donkeys eyes on its head enables it to see all four feet at all times!  For HELP call 18668611606.

 
Mobsetter IQ

And then the most ominous message rolled in, in October (after three months and three messages), reading:

MOBSETTER IQ Fun Facts has billed @ $9.99/mo.  Reply HELP for help, Reply STOP to cancel.  Msg&Data Rates May Apply.
 
Again, I've been conditioned to reject spam, but at this point a lightbulb went on in my brain and I recalled those stories on premium text messages and got a sinking feeling.  So I dialed Sprint.

II. Sprint Condones its Customers Being Scammed

The Sprint customer service rep confirmed that those were premium text messages, at a cost of $9.99 USD each.  The rep asked, "Have you ever signed up for this service?"

"No.  I've never seen or heard of this service in my life.  Clearly this is some sort of data mining/fraud scheme."

The Sprint rep tells me, "Well if someone had access to your phone, they could have sent a message signing you up for this service."

Sprint Sign
[Source: Lisa Poole/AP]

No, I explained, I kept my phone on me at all times, locked, and only I have used it. And I never signed up for "MOBSETTER IQ". 

Eventually the service rep agreed to refund the premium texts.  But I wanted to get to the bottom of this so I probed deeper.  I asked why there was this option in the first place.  I was told that Sprint customers were automatically "opted in" to allow premium texts and I had to specifically opt out (which, at this point I did).  I asked them to double check this with their supervisor.

Indeed, the supervisor confirmed (or at least was of the belief) that Sprint automatically opts its customers into allowing premium rate text messages.

Shocked and beginning to sympathize for the plight of my fellow Sprint subscribers I asked, "Well are you at least going to block this number from sending messages to other Sprint customers?"

"No.  Some people want to use this kind of service," the rep replied.

Really?  People want to pay $9.99 per text to get nonsensical, grammatically incorrect text messages from a company that clearly engages in fraud?  That's pretty hard to believe.

I asked them to get their supervisor and confirm to me what kind of policy was in place for eventually dealing with scammers.  There had to be some kind of system in place.

The supervisor informed me that indeed, if enough customers called (like I had) to report fraud from a particular premium number, Sprint would block it.  But this blocking was purely reactionary.  

This was about where our conversation ended and it left me very concerned about the safety and financial security of my fellow Sprint subscribers.

Let me summarize:
  1. It's easy to mine people's phone numbers -- many seemingly legitimate Android apps even do this (technically they have to ask for permission, but if apps like Angry Birds ask for your number, you tend to falsely trust them).  Further, many people give out their numbers for business (as I do as a journalist), so there's yet another source of exploitable numbers.
  2. Once a scammer has your number, on Sprint's network, they can freely send you premium rate texts without warning or opt in, billing you $9.99 per text.
  3. Let's assume that only 50 percent of customers notice this and respond.  After all, if you're paying $120/month for a 4G smartphone + tethering + fees, $10 is somewhat easy to miss, particularly if you're a busy person.
  4. So taking the 50 percent rate, assume that the spammers send 20,000 people one premium text message.  Of those people, 10,000 complain about the message, while the other 10,000 unwittingly pay for it.
  5. Sprint has now handed the scammer ~$100K USD, which the scammer can merrily wire off to a Swiss bank account, as they light up a cigar in their shack in Russia or whatever other region they happen to reside in.
I am apalled that Sprint is letting this happen and any subscriber should be too.  Sprint is absolutely condoning -- effectively supporting, even -- this kind of fraud.

Update:
A Sprint employee emailed me after this article went live, pointing me to this webpage.  It claims:

One of the handy things about a Sprint device is how easy it is to receive mobile content via text message. Premium Text Messaging allows you to enjoy a variety of mobile content supplied by third-party providers, and pay for that content via your cell phone bill. Since you will later be billed for this content, you must subscribe (opt-in) to any Premium Messaging service.

That's nice, but it appears that:
a) At least some of Sprint's customer service representatives are unaware of this policy.
b) People are still getting these messages without opting in.

I find it highly fishy that Sprint's "opt in" system magically stops working on a form of fraud that the company reportedly directly profits off of.  At best Sprint is misleading customers by claiming they're safe if they don't opt in (again in my experience you can get these messages and charges on Sprint without ever opting in).  At worst it's lying to customers in order to participate in a deliberate profit-driven fraud scheme.

III. Verizon and AT&T Offer Stronger Protections

So I wanted to get some perspective so I contacted customer service representives at Verizon Wireless -- a joint venture of Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD) -- and AT&T.  

What I found, interestingly is that both companies offer stronger protections than Sprint.  Most importantly, both offer premium text messaging as opt-in only, unlike was Sprint does.

States AT&T:

Customers phone accounts are not automatically opted into these messages. A growing number of companies and organizations offer opt-in alerts which, like spam, are also received as messages on mobile devices. "Signing up" can be as simple as texting a code to a number to request more information, receive updates, or enter a sweepstakes. The confusion with spam occurs when subscribers either forget they have signed up for alerts or don’t know how to cancel their subscription.

States Verizon:

Verizon Wireless customers must double opt in to premium SMS programs -- meaning when they send a message to a short code, they are asked to confirm, then they are asked again if they are sure they want to opt in.  Programs must offer options for customers to opt out (for example, "quit" or "stop").  These are industry guidelines organized by the Mobile Marketing Assn.

While this is better than the lax policy I experienced at Sprint, there's still significant issues in that a malware program could in theory send the text opting in and then send the confirmation text, deleting the messages to hide its trail.

As for customers who have experienced fraud, these firms' policies are similar to what I experienced at Sprint.

States Verizon:

Customers who think they have fraudulent charges can call Customer Service to discuss credits.  Verizon Wireless also offers a premium SMS BLOCK at no charge for customer who want to opt out of all of PSMS.

States AT&T:
 
AT&T has been the industry leader in addressing the challenge of cell phone spam. They’ve has installed an aggressive "behind-the-scenes" spam-defense system with state-of-the-art network filters, virus traps and other blocking methods that have proven to be effective at screening unwanted messages. In addition, AT&T works closely with lawmakers and regulatory authorities to improve anti-spam laws -- and helps law enforcement agencies identify spammers.

Customers can also sign up for AT&T Smart Limits for Wireless to block phone calls and SMS from specific 10-digit phone numbers as an additional measure to stop unwanted calls and/or messages: http://att.com/smartlimitsforwireless" rel="nofollow ($4.99 per month/ per subscriber). Customers can also contact AT&T Customer Care for assistance with specific issues.

The latter part is a bit noteworthy as AT&T is the only company that suggested it was pursuing law enforcement action against these spammers.  Sprint and Verizon simply seemed to cast a blind eye to this type of fraud (although Verizon had better initial defenses with its double opt-in process).

Police officer
Only AT&T indicated that it reports PSMS frauders to police. [Source: iStockPhoto/Jeff Griffin]

As for whether frauders are blocked, Verizon tells me:

While I can't share any specifics on what would cause us to disable a PSMS short code, we do monitor the content providers on a regular basis to ensure they are in compliance.

And AT&T comments:

When customers notify AT&T about being charged for spam, AT&T works with them to resolve the charges. AT&T provides customers who receive SMS and MMS spam with credits to offset the charges. It’s important to note that often AT&T cannot determine if a message is subscribed or unsolicited until the customer brings it to their attention.

Additionally, customers can get more info on how to control spam by visiting: www.att.com/wireless and search "spam."

It was refreshing to see that these companies are at least trying a little harder than Sprint appeared to be.

Note: I reached out to Deutsche Telekom AG's (ETR:DTE) T-Mobile USA, inquiring about their policies, but they did not respond.  I also emailed Sprint's press contact, to confirm the policies that the service manager claimed to me, but received no response.

IV. What Needs to be Done

If you haven't already, I strongly suggest you call your carrier and ask them to block premium text messages to your phone.  

That's a temporary solution, albeit one that requires a bit of effort.  The real solution would be for the government -- or better yet carriers -- to ban these kind of premium texts.  A text does not cost $0.10, much less $10 and it's ridiculous to think there's virtually any sort of valid use for premium texts.

The industry should ban this type messaging.

Failing to do so is simply asking for customers to fall victim to frauders.  Again remember, premium text frauders -- on Sprint at least -- only need your number.  They don't need your permission.  And in theory even if they did need your permission (i.e. AT&T and Verizon subscribers), smart phone malware could give them that permission.

Adopting smartphone antimalware software can help prevent this.

But again, I can't emphasize enough.  Premium messaging should be banned by the industry.  It's basically asking for customers to be defrauded.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Sprint has always been corrupt
By fearrun on 10/25/2011 3:15:28 PM , Rating: 2
Yes, I can confirm that all Sprint customers that have been with us for several years or more without having any issues recorded under their accounts have been hired as employees and encouraged to troll forums with their biased opinions.

/sarcasm


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki