Malware and New Mobile Phone Payment systems
What could possibly go wrong?
The premium rate phone regulator says it might disregard evidence of consumer consent from paid-for mobile applications if those apps turn out to contain malicious code. Under PhonepayPlus' Code of Practice, premium-rate service (PRS) providers are prohibited from charging without consumers' consent. Certain PRS providers must …
And it's good to be sceptical in this field. So, I like it. If they could get the word "rape" in there somewhere it would be even more suitably scary, but offputting I suppose. But "Pay" and "Plus" already are quite scary, in the context.
I just read about a guy who got drunk on a visit to Poland and had his phone not stolen. Unfuortunately. Stolen would have been so much better for him, read here:
Oh my, you can't do this in Blighty? I guess credit where credit's due. I have a phone for the kids with Vodafone in Oz. It's PAYG with credit lasting 365 days. ALL mobile data, premium rate services, international calls, i.e. everything but local calls and local texts are disabled by Vodafone, it's nothing to do with the phone. I had to explicitly request this, but it is available and means that a single $30 recharge lasts about a year.
I agree 100%. It is wholly irrational for anyone, under any circumstance, to be able to charge your phone bill for tens or hundreds of pounds. There should be a low cap for one-off charges (a fiver?) and an even lower cap for these scams where your phone gets charged repeatedly for rubbish like ring-tones, wallpaper or horoscopes*.
* For the avoidance of doubt, I haven't been robbed for these things, but my son was unfortunately sufficiently naive to be caught out. Until, having put a tenner on his PAYG account I told him to check it *15*minutes*later* and found that three (!) £2.50 charges had been taken immediately. I phoned the network and told them they could refund the money or give me a PAC code.
1) All networks should be required to disable international phone and text messages which go to premium rate numbers on a country or region by region basis (i.e. I can enable calls to US premium rate numbers without suddenly enabling calls to Burkino Faso premium rate).
2) Users must explicitly to opt-in to enable these services (obviously not through automated means via the phone).
3) All domestic premium rate providers should be required to deposit a lump sum of cash in escrow, e.g. £10,000 which if necessary can be used to compensate users who complain and should be forfeit for gross violations of the code.
4) Network providers should insist that all smart phones regardless of operating system explicitly intervene and ask for permission whenever any 3rd party application installed by the user attempts to access SMS or Phone services. The user should be able override this from a setting on a per application basis, but the default behaviour is to ask.
In other words practice security by default. A user can override the defaults if they must but the attack surface is so much less to begin with.
I applaud your intent - but it's never going to work. It relies on the mobile phone companies knowing about all the premium rate numbers both in the UK and oversees.
In the UK, the number plan (whilst not perfect) is fairly easy to understand. (01 & 02 landlines, 07 mobiles (et al), 03 & 08 non-geographic, 09 premium) Other countries number plans are less easy to understand: Brazil is one country that springs to mind for having a hiddeous dial plan.
At my work, I've had to tell our telco when a new international destination needed adding to their network routing tables. Or when they charge the wrong amount for a call 'cause they have the wrong charge band for it (mobile Vs landline, for example).
If there was a global list of these premium rate dialing codes, it *might* just stand a chance, but that would require a lot of international co-operation.
Legally putting the burden for fraud on the telcos would make them hop to it double fast. Like you say they'd either have to swallow the costs of the fraud or recoup them from another telecoms provider. In no time they'd get their house in order and would start withholding money from known "problem" providers to cover for any claims that could be expected to arise.
1/ Ofcom/Networks allocate the short codes/premium rate numbers to the Premium Rate Industry.
2/ Premium Rate Industry think up ways of making our phones ring the premium rate numbers or receive the premium rate message.
3/ Our Network bills us, pockets 50% of the money and passes the rest on to the Premium Rate Industry. They also pass on all the blame for the 'fraud' and the complaining customer.
We have been here before and learnt nothing. The rogue dialer is dead, long live the rogue dialer.
May I please submit this entry:
'When proposing the draft guidance in September last year, PhonepayPlus chief executive Paul Whiteing said that the regulator would "not hesitate to use [its] robust sanctioning powers to drive out rogue providers who could damage a vital part of the UK’s growing and innovative digital and creative economies".'
Bonus words are: Guidance, Might Disregard, Code of Practice, Should Not be Necessary, Easy to Understand for the Reader, Strongly Recommended,
How about a responsible person capable of using simple words like "DO" and "DO NOT" instead of waffle, please.
Biting the hand that feeds IT © 1998–2019