18:23 35

New Mobile Phone/Credit Card scam.

A friend of mine checked his online bank statement recently and found an unauthorised transaction for O2(UK)LTD PREPAY for £30.00 nestled amongst his porn charges and World of Warcraft subscription. Since he hadn’t used an O2 phone in over a year, this was quite a suprise, and a spot of Googling turned up more than a few people with the exact same problem.

So what is this O2(UK)LTD PREPAY? For starters, it’s a genuine debit on your card made by O2 – formerly BT Cellnet. The problem, of course, is that you didn’t actually make such a purchase, and you’re so paranoid about Credit Card Fraud that you keep your cards in a tinfoil envelope, so how did someone steal your credit card details?

The answer is.. they didn’t. Credit Card numbers are generated using an algorithm which makes it possible to easily check their validity before submitting it to a payment processor. Unfortunately, that same convenience means that anybody can whip up a simple program to test 16-digit numbers that pass the validity checks.

So now you have a valid card number, the next thing you need is the expiry date. Since there are only 12 possible expiry date values per year it’s trivial to check until you get a hit. Most cards only last a maximum of five years so you only need check 60 combinations. If you get a hit, congrats – you have a card you can use for fraud.

But wait – surely the only way you can test a card number and expiry date is to actually go ahead and try to buy something? And even then, don’t you have this Verified by Visa step to go through where you have to enter your password? Well ordinarily, yes you would, but if you happen to find a company that is pathetically lax with in the way they accept Online Credit Card payments – for example O2 in the UK – then you can enter just these details and see if the card works.

The O2(UK)LTD PREPAY that you see on your statement is a fraudster testing your card number and an expiry data and getting a hit. If you do not cancel your card straight away, you will soon find your card statement filled with purchases you didn’t make, things like TVs, cameras or more phone topups.

O2 are not the only company who allow anyone to enter any card details to top up any phone. Keep an eye on your bank or credit card statement for any of the following:

If you didn’t make these purchases, call both your bank and the business involved immediately. Ask the bank to cancel your credit or debit card and issue you with a new number, and ask the business listed on the statement to investigate.

Worryingly, we’ve heard that the bank/business will tell you not to bother contacting the police over the matter. Whether you do or not is up to you of course, and if you get your money back without problems (aside from changing your cards) then you may not want the extra hassle, but the fact remains that a crime has been committed and those businesses with lax online card security have no incentive to improve matters if people don’t complain. I would suggest getting a crime number just for peace of mind – it at least helps you prove to the bank that you are serious about the fraud even if the likes of O2, Orange and iTunes are not.

So why don’t O2 etc put a stop to this?
From their point of view, why should they? Airtime actually costs very little for mobile phone companies to provide, so if they have to refund £30 to someone’s card, they actually lose a lot less than that. Add to this the unknown number of transactions that you can guarantee are never spotted by the card owners and you’ll come to understand that O2 are making a profit from this scam.

People should really be complaining to Visa and Mastercard, petitioning them to threaten O2 et al with the loss of their credit card processing facilities unless they tighten up online security. There is absolutely no reason, in this day and age, for this kind of lax attitude to be permitted – they are enabling fraud on a massive scale, profiting from it and appear to have no intention of changing things.



Tested on desktop versions of Chrome, IE11, Edge, Safari, Opera and Firefox. Any problems are entirely your own.