Automatic Text Charges

(Jack) #21

I’m curious about this, how does this work on HTTPS connections? Surely the mobile operators wouldn’t be able to unscramble the data to add a header into the request?

(Tom ) #22

This happened to me. It was a real battle to get O2 to refund me for something I never asked for and didn’t ever put my details in any form for.

I’ve now blocked this kind of thing entirely from my O2 account.


It is very unlikely to be legal but also very hard to prosecute someone

(Jonathon) #24

Surely the mobile operators have to be involved in it though? For the companies to have access to my number?


It is possible the ad was able to skim some kind of meta data which included your number somewhere.

There was an issue a few years ago with autofill data being skimmed but I believe Google were very quick to solve this and as I said it was a few years ago if not more

(Jonathon) #26

Ugh. I hate this kind of stuff. It’s practically theft.


They probably don’t need to; the scheme (hypothetically) might require the participating websites to be served over HTTP.

That being said, if they wanted to, they could proxy your HTTPS traffic. Many network providers have their root certificates in the trust stores of popular OSes, and have them preinstalled on the phones they sell.

(If you’re super interested, there’s an interesting paper on Android’s trust store: It’s from 2014, and much has changed since then, but it’s an interesting read all the same)

(Andre Borie) #28

A popup can’t gain access to your phone number, no web browsing could accomplish that.

It definitely can if the popup is one of the “partners” (partner in crime that is) of your carrier. Essentially they intercept HTTP traffic towards the partner and add a header containing your phone number. In some cases the way they do it isn’t even locked down to “partners” and anyone requesting a specific URL can get your number (ads and other stuff can exploit this).

This lovely contraption is called “WAP billing”, basically a way for companies scammers to deliver value foist expensive bullshit upon unsuspecting customers, all under the excuse that customers don’t feel safe passing out card details around and “WAP billing” is a better solution (although any legitimate service like Apple, Spotify, Netflix, etc doesn’t seem to have any issues taking card payments - I wonder why :thinking:).

Normally it’s supposed to be “safe” with the user having to explicitly opt-in, either through SMS (the user should send an SMS) or through a page on the carrier outside of the “partner”'s control. However security on those is often bad and I wouldn’t be surprised if the “partners” figured out a way (clickjacking? CSRF?) to fake a click on the opt-in page. The carriers don’t have any incentive to fix this either (good luck even reporting it to them - I’ve tried; had to get in touch with the ICO as none of the monkeys would escalate the matter to anyone competent) so it stays that way.