Do premium phone numbers have any remaining legitimate use? The last time I remember hearing about them was in the context of a callback scam, where scammers would call and hang up after one ring so that people would call the caller ID numbers. Actual pay-per-minute phone services seem like a rare special case that would be better served by having people type credit card numbers into the line with their dialpad.
Not really. The examples mentioned here are very edge case and don't warrant the risk and fraud that this system brings. Big providers love the traffic and can blame things on "international tariffs." Though for all I know, AT&T and so might have deals that require them to terminate all traffic.
In the US it is compounded by the fragmented telco system. You can find numbers in the US that'll pay several cents (some bill up to dozens of cents/minute). This was really heavily abused by things like FreeConferenceCalls or "sexy local chat" lines. It's also used to provide "radio-by-phone" for expats. They'll target a large immigrant population, then play home-town stations over the phone call. This lets people without data use their unlimited-US calling get radio from home without paying directly. Lots of money to be made coming up with ideas like this.
The FCC has ruled this is mandatory and slapped US telcos that blocked such traffic. Though the owners of such numbers now usually mandate that the business be based or have operation in their jurisdiction to avoid running into more challenges.
I remember few car parks that were accepting this payment method. I think it is the most illustrative legitimate use case of premium numbers or the pay-by-call method.
Direct Debit (0) mostly through PayPal, bank transfer or invoice.
I need to add though that phone payment is mainly used for sites targeted at kids, sites that normal acquirers don't allow (file sharing) and donations (e.g. text XYZ to 000 to donate 5€). Not usually when ordering stuff from Amazon etc.
Or SofortÜberweisung where you give the login data to your online banking and a TAN to a shady 3rd party company and they perform the wire transfer for you - while sending a confirmation to the merchant that the money has been sent.
Commonly direct debit, which works overnight inside the EU. Also there is PayPal and other prepaid wallets, and a bunch of scattered other payment systems that amount to faster direct debit, which all have the benefit of being fast enough for digital goods.
And more and more, especially younger, people have credit cards for digital purchases (and travelling).
In the article, the author mentions contacting Google + they instruct him to attempt pen testing on please.break.in@gmail.com. Didn't know they maintained an account like that. Interesting.
A few hundred dollars a year is nothing for these companies, not to mention that if you actually tried to abuse this to a substantial level I am 100% confident that it would be detected and blocked.
It's like filing a bug bounty that you can sign up for multiple AWS accounts and mine bitcoins in the free tier. Up to a certain level, they just don't care. Past that level, you'll be detected and mitigated against.
> if you actually tried to abuse this to a substantial level I am 100% confident that it would be detected and blocked.
Yes, Facebook sounded quite confident that such attempts would be detected and blocked. It seemed like they gave him bounty just to get him out of their hair.
I agree: the main problem with security vulnerabilities is that your users' data gets leaked and it blows up in the media.
If you just lose some money, you can budget for that right next to the risk somebody throws rocks in your window or the risk that somebody steals the company car.
I used to think this. I have exploits that I can make a ton of money off of (exploiting phone systems). The only issue is that in order to generate money, I need to do illegal things. To sell these exploits, I need to find a criminal buyer. It's like noticing that you can rob people by hacking their smart-lock. It's hard to out-pay criminal activity.
In this case, the attacker would be committing fraud by repeatedly causing calls. But they can probably get away with it. They'll just get cut off. Especially with premium ($0.50+) numbers from more exotic locales - it's too hard to chase people down and prove it. Heck, a US company I advised for lost $90K to a guy in Quebec and it was too hard to go bother going after him. We thought about it for about 30 minutes than just gave up.
Abusing a bug is not really worth it imo, otoh reporting it through a bug bounty seems like borderline scam. $500 for bugs supposedly top engineers missed and you worked on for days (e.g. communicating with the respective teams can take up considerable time) is a measly return. I get that money might not be the main concern here, but people could really negotiate a fee before disclosing the details. Lowballing this hard is mildly insulting imo.
'Negotation' can be interpreted as exortion or blackmail. Bug bounties do not seem worth it unless there is no obvious way to make money or you have more to lose by exploting it than disclosing
I understand how these call would cost Instagram/Google/Microsoft money. But, could someone please explain why a call to a premium number "earns" the account holder money?
So you can obtain a premium number, and then when anyone calls you on that number they get charged the rate that you set per minute and after fees, you get the money. That's how pay per minute phone services (esp. adult services) work.
So what he did was to get one of those numbers and then have Google / Facebook / Instagram call that number repeatedly and that's how he would get money.
But the phone company requires ID and bank info to obtain a premium number. And then when you do this, google calls them to complain, and phone company terminates your account, keeps the money, and reports you to the police for fraud. Doesn't seem like a very good exploit.
This isn't true. You can get such numbers all over the world; some you can sign up for online and provide reasonably anonymity. You can make a lot money doing scammy-stuff and the risk of being prosecuted is pretty low. It's just not worth trying to go after some guy with an account with a telecom in Elbonia.
The cases of telecom fraud that I know of that were caught are usually due to incredible arrogance on the perpetrator's fault. In one case, he actually called the company he was attacking to gloat that they could never get him. (The company used a super-vulnerable-yet-expensive switch that literally had bugs like "&admin=1 gets superuser".) I've not seen a VoIP system that was remotely secure.
The account holder is the operator of the premium number. When they set up the premium number, they receive a large portion of the fees of any calls to that number.
A friend runs some SIP networks, he said sometimes when hackers get access to a line they make calls to premium numbers in North Korea and other places. They can run up a 5000$ bills pretty quickly.
In some parts of the world it was the kind of thing you could have happen to the household by just letting your stupid little brother look at one or two naughty ads in the back of a magazine ..
That's very common, yes. But it's also idiotic for general VoIP providers to allow access to such numbers. There's no reason they need to do that, and they hurt themselves and customers. Many of their US customers don't even need international dialing for the most part.
While you can make some money off fraud on normal-priced international calling it certainly makes it much more difficult and noticeable.
If you haven't already, call your phone provider and tell them to disable premium calls/texts/services. They're obsolete and quite a number of them are pure scams.
If you can convince your provider that the calls were not legitimate or the premium number provider did not disclose fees, etc. your provider will probably tell the premium number's provider to pound sand. Or convince them it was your kid. At least in the US, people under 18 cannot make these calls and so don't have to pay.
> Sure refuse to pay my cell phone bill and switch to one of the 3 competitors.
Unless it's a massive set of charges, the resulting collections activity and credit score hit will likely cost a lot more than you're saving by ignoring the bill.
"I did not authorize this charge. If you disagree, take me to court."
So they can drop the charge, or they can take you to court. I find my chances fairly good at disputing a charge I did not authorize in front of a judge. I am willing to take that risk.
Cool idea. My sense is that they would catch on before the amounts reached anything substantial, but who knows. Either way, fun as a thought experiment.
Reminds me of when I was a kid and used the next phone phone over to accept a third party paying call. Or, when answering machines in the early 90s only had two digit pass codes. I would change the out going message to to "yes yes yes yes yes ..." so when the automated machine checked if the phone would accept charges it would.
Yeah, but it seemed that they were low because both Google and Microsoft value the security of customer data over their own finances, and thus don't care as much about exploits that drain their wallets. Resulting in a lower bounty.
