The dangers of SMS top-up: a security exploit in practice
The NMHH decided to bring proceedings due to cases of abuse where scammers cite various reasons (prize competitions, data reconciliation, etc.) over the phone to persuade mobile users into sending a text message to a phone number set up by Magyar Telekom Nyrt. for SMS top-up, thereby topping up the account linked to the SIM card of a subscriber unknown to them. Scammers make calls to unsuspecting subscribers asking them to type a string of numbers in the SMS text that, although having no meaning to a casual observer, actually comprises of a phone number and a sum of money, e.g. 30 8437844 10000. The operator’s system, however, interprets this string of numbers as a request by the SMS sender to top up the universal account linked to the specified phone number (i.e. ultimately the scammer’s account) with a specific amount, e.g. HUF 10,000, thus, debiting the account linked to their own account. Incidentally, customers can be scammed for a maximum of HUF 15,000 at a time.
With regard to the universal account topped up using this method, “universal” means that the balance it holds can be used for purposes other than making calls, for example, making mobile purchases. Therefore, money is transferred between the two subscriptions without any intention by SMS senders to that effect. Among Hungarian mobile operator, Telekom was the only one to make this top-up method available to its subscribers; other operators did not use it.
The risk lies in the fact that SMS can be used for purposes not known, or not expected to be known, to subscribers as the SMS top-up option does not have to be ordered or specifically enabled by subscribers as the operator makes it available on all SMS-capable phones; however, a postpaid customer cannot be expected to know about the options available to prepaid subscribers. Thus, money transfer to the debit of subscribers’ accounts can be made without their knowledge and contrary to their intention by sending an SMS, while they may not even suspect that they initiate money transfer by sending a text to a standard-rate number and thereby top up a prepaid SIM card with a specific amount. What is worse, SMS top-up did not require any form of security authentication from subscribers. Although the operator required two-step verification from subscribers with regard to their intention to top up (transactions were only started if the text contained the word “FELTÖLTÉS” (TOP-UP), followed by the operator notifying subscribers that they have initiated a top-up, offering the option of not replying if they did not want to top up) later on, overall, it was still far too easy to abuse the SMS-based top-up option in its existing form.
The NMHH’s decision to ban the top-up method in its existing form
Although the operator took a number of measures during the proceedings in order to enhance the security of this method and safeguard the interests of its subscribers (including changing the text of the verification question and the string of characters to be sent), the NMHH’s investigation made it clear that these solutions are currently not effective enough to provide subscribers with adequate protection compared to the risks that arise. Telekom refused to compensate scammed subscribers on the grounds that it is not liable for their loss, even though the abuses were committed through its system. Due to the infringements, the NMHH decided to ban Telekom from using this top-up method from the date when the decision becomes final until a time when the required security measures are taken to ensure the financial protection of subscribers. The decision is yet to become final as the operator may appeal against it.
Advice for subscribers: report scam attempts to the police and use other top-up methods
The NMHH advises users not to fall for scams when unknown individuals try to persuade them into sending any string of numbers via SMS. They should ignore such requests or, if they have already suffered a loss, report it to the police.
Although this top-up method will be unavailable, Telekom subscribers will not be left without a way to top up their cards as, similarly to other operators, Telekom offers a number of other options. They will be able to top up their accounts with their bank cards through ATMs, via call centres and online customer services of certain banks, on the website of the operator or using cash or bank card at the till in shops that provide this option.