« »

Are O2 making it easy for the Fraudsters…?

There is becoming an ever familiar pattern emerging with vulnerabilities believed to be with the mobile telecommunications provider O2, previously ‘Cellnet’.

It is believed fraudsters are making use of the mobile phone company’s lack of electronic transaction processing checks in order to find out whether or not fraudulently obtained credit/debit cards are still active.

The most recent case of this is evident from online mountain bike retailer chainreactioncycles.com which at the beginning of March 2011, had many customers reporting that they had amounts of £15, often 2x amounts of £15 withdrawn from their accounts (believed to be test purchases by the fraudsters) and paid to the mobile telecommunications service provider O2 for Pay As You Go Top-up credit services.

It is believed the fraudsters use the likes of O2 due to their insecure approach to security, with regards to identity and owner verification and authorisation when processing credit and debit card transactions for top-up credit services from Pay As You Go customers, or, in this case, fraudsters!

The fraudsters make use of O2’s poor security processes by fraudulently obtaining an individuals credit or debit card details. This can be done by infiltrating insecure websites, physical access to an individual card, such as at a petrol station or restaurant or when reading the card details (card number, expiry date and CVV signature code) over the phone when ordering takeaways or mail-order.

They then make a top-up or a series of top-ups by using a mobile communication provider, such as O2 and user the details to purchase additional credit. In the event the credit is added on to the phone, the fraudster then knows that the card works at that point in time, is valid and has not yet been cancelled, or the owner is un-aware that their card details have become vulnerable.

The victim, the person who’s details have become vulnerable is then only aware of the fraudulent transaction once they appear on their statement, or in the event their bank contacts them out of courtesy when a transaction is presented to their account.

At this stage, if it is confirmed that this is a fraudulent transaction, the bank then reimburses the affected customer(s) with the amount which was obtained, cancels existing cards and PIN’s etc and re-issues new cards and PIN’s to the affected customer. All costing the bank money.

The problem is, it appears it is the banks which are being forced to pick up the bill when reimbursing customers who have been targeted, whilst, the likes of O2 who have less than adequate security in place are able to retain the fraudulently obtained amounts and are making a profit from this.

The problem with this type of fraud and the reason it is both, so easily to conduct yet difficult to track those carrying it out is because the handsets are Pay As You Go, with no fixed contracts and no requirement for a customer (fraudster) to register the handset or hand over any identifiable forms of ID when purchasing a PAYG device, as tracking the purchaser via credit and debit card etc can simply be avoided by paying cash over the counter.

However, all of this can simply be avoided by O2, like many other mobile phone operators, by introducing a secure payment processing system for their PAYG customers, which requires the likes of –

  • A 4 digit pin number to be set up to a mobile phone account.
  • Require the PAYG handset to be registered with Name, address, contact number as well as a credit or debit card.
  • Cross reference credit and debit card transaction and analyse familiarities.

There clearly appears to be an issue with regards to O2’s (previously Cellnet) security with regards to electronic payment transaction processing which differs greatly from other mobile telecommunication providers, as O2 seem to be the ones hitting the headlines over and over again for the same thing.

It is believed this has been ongoing for over a decade now, firstly being reported back in 1999 by pardoe.net. A site dedicated to documenting and providing information to those who have been victim to the fraudsters and even more O2’s lack of security.

Exposure of this issue has been varied between 1991 and 2002, including appearing on BBC Watchdog. Yet, it appears, O2 have failed to fix this issue and provide an adequate secure solution for accepting and processing PAYG electronic card payments.

There are many discussions online over whether or not this is O2’s responsibility or whether it is between the affected customer (the victim) and the bank/card issuer. The fact is, it is O2 with the poor payment processes in place allowing this to take place and allowing the fraudster to obtain money. Surely if a customer does all that is reasonably required to protect their cards and their personal data, O2 should be accepting some responsibility here and not leaving it up to the banks to refund customers for the mobile telecommunication company’s lack of investment in appropriate security.

If you have been affected by this, please get in touch with us at info@forhacsec.com, leave a comment or post in the ForHacSec Forum.

This entry was written by Zac , posted on Friday March 18 2011at 05:03 pm , filed under Fraud & Scams, Law Enforcement, Mobile and tagged , , , , , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Leave a Reply

You must be logged in to post a comment.

« »