Leave a legacy.

Require 2 factor authentication to sign up for payforit texts

By: andy69 | 12-08-2018 18:00

A lot of people are asking about being charged for payforit texts when they didn't subscribe to them in the first place. And how to stop further charges and get your money back. One way would be to require that the initial text is not charged for but is replaced with a text asking you to authorise the subscription. If you want to receive them, then you just follow the instructions in the text to authorise it. It could be follow a link or reply by text. After authorisation, you receive the original text and are charged. If you don't authorise it, you just ignore and no charges are applied.



by: cristo69
on: 28-12-2018 01:31

This HAS to be done, i wont be topping up again until it is

by: celinego
on: 27-12-2018 10:19

This is an excellent idea as my 16 yr old has just been conned out of £3 per week subscription by a company called Taptronic / Fitguru. Yes, we've blocked and I've called them and they're refunding but this idea would have prevented all of that.

Also, as my son is a minor, can't giffgaff also automatically block all premium services/numbers from minors's accounts? A child may not even notice such a premium number text, not tell their parents therefore continue to be exploited by such underhand scammers.

by: andy69
on: 17-10-2018 14:01

Here's a website that checks one of the ways numbers were leaked. For me, no phone number leak is detected whilst browsing over mobile network. See http://www.mulliner.org/pc.cgi.

See https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/

Is there another way for a number to be leaked? If so, how?

by: jaymailsays
on: 17-10-2018 23:28

That website has not been given the decypher codes by giffgaff/telefonica. Payforit Merchants have paid for access to your mobile number during mobile browsing and they can decode the header info. Even using a vpn does not always protect you. Use WiFi whenever you can as that protects your information by isolating the mobile network from your browsing and hence payforit (part controlled by Telefonica) Occasionally o2 mess up and the number is on view to everyone.

Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:

The evidence.

by: andy69
on: 19-10-2018 07:42

Isn't that video linked to from the article I posted above. https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/ IE before O2 fixed that issue. Is there a link to another website that we can use to test as the one in the video just hung for me?

by: joe_mattinson
on: 18-09-2018 10:42


THat's a brilliant idea, supported.

Having read down the replies, it's apparent that this is a fix to a deeper problem: GiffGaff and other networks give out our mobile numbers over xG networks which allows 3rd parties to process payments straight to our mobile accounts.
Whilst this can be useful, there is no protection for us against any scammers who just take our numbers and charge us without reason - it is simply theft.

And, GiffGaff get a cut of the profits of the PayForIt service that services these payments, so they have no incentive financially to stop them happening.

GiffGaff MUST do something to prevent theft from their members - us!
Either allow a bar on Charge to Mobile, or your suggestion of 2-factor authentication would work; I prefer your solution as it gives the users control.

Thank you!

by: suzisuz
on: 24-09-2018 07:51

2-factor authentication sounds good to me, like you said JoeM it gives the users control.

by: mattj37213
on: 23-09-2019 16:21

I was scammed by 'paid phone services' that I never wanted or knowingly subscribed to when with EE. I tracked down the companies behind it and out of principle as much as anything got them all to refund me. When speaking to the EE advisor he was able to block any further 'paid phone services' (note. I could still ring premium numbers however).

If Giffgaff could use multi-factor authentication to prevent people from subscribing to these things unknowingly that would be a major plus for the network and would save a lot of people a lot of money and hastle I am sure.

by: andy69
on: 15-09-2019 16:50

I don't understand how this has been marked as implemented. As far as I'm aware giffgaff have not implemented 2FA for payforit but are relying on the merchants to be honest with their extra step. People are still being scammed because some of these merchants are claiming that the extra step has been done when it hasn't.


by: bertiebat
on: 13-09-2019 13:59

I'm would be really pleased if this has been implemented but without exact details I'm reluctant to say this has.

It's important to know if we are to use this information when advising on help and support.

by: iant103
on: 03-09-2019 15:34

I have just received a text from "WAPSTAR" claiming that I had subscribed to something I have no knowledge of, I responded immediately with a STOP text that has cost me 10p, if I had been slower it would have cost me £4.50.

This is mugging by text it must be stopped!

by: kengra
on: 25-08-2019 14:53

Great idea. am not sure how feasible it is to add this to the existing O2 infrastructure

by: scrupps
on: 20-08-2019 15:12

it is outrageous that Giffgaff isn’t all over this and helping to protect customers from these scams. Giffgaff - stop messing about with stupid ideas like gameplan and sort this out now.