Premium Rate Fraud Exploit for Google, Microsoft and Instagram

Bug finder Arne Swinnen likes to make money by spotting the flaws in other people’s software. He identifies their mistakes, then reports them to developers in order to claim a cash bounty as his reward. It is lucky for Google, Microsoft and Instagram that Swinnen is an honest guy, because he recently found flaws in their services that would lead them to make premium rate telephone calls… and we all know how that can be exploited by fraudsters to generate a lot of cash, a lot less honestly.

The weaknesses found by Swinnen all stem from the desire for consumer tech firms to make money from the mobile ecosphere. All tech giants have realized that smartphones can be a great tool for generating revenues – the user pushes a few buttons at any time, wherever they are, and the cash flows instantly. But setting up the services to grab this revenue may necessitate a phone call or two, and these tend to be automated. So when they also allow the user to control which number will be dialled… you can see where this is headed. Arne documented his exploits here, but only after telling the tech firms so they could close the loopholes with their systems.

Swinnen’s insight leads me to a serious observation. Many developers want to take advantage of the huge and growing number of smartphones. A tiny share of an enormous marketplace can be worth a lot. But if tech giants like Google can be caught out, how many start-ups are going to cut corners and make mistakes, paying for calls to verify what they hope will be lucrative customers, without recognizing the danger that they can be abused? Telcos find it difficult enough to differentiate between a call to a legitimate number and those to a premium rate line managed by a scammer. How many tech firms will have implemented the kind of fraud monitoring needed to identify an unusual pattern of calls or very high volumes of usage? Telcos have got used to the parasites of organized crime, always looking for ways to steal via a network. Some software developers and cloud providers are going to learn that these leeches will suck the blood from their business too.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.