Vodacom is currently facing a spate of subscriber complaints regarding airtime disappearing from accounts due to rogue Wireless Application Service Provider (WASP) subscriptions. Of great concern were reports from two Vodacom customers who found that Vodacom’s own WASP had subscribed them to content services without their consent.
MTN faced similar challenges with airtime theft and fraudulent subscriptions last year, though never with its own WASP, and rolled out several measures to stamp out such fraud. Much like debit order fraud, the fight against rogue WASPs is a game of cat-and-mouse where the fraudsters are always trying to find a way to exploit loopholes in the systems of mobile operators.
On 14 December 2011, Vodacom was the first network in South Africa to adopt a “double opt-in” system for WASP subscriptions. Under this system, the network itself sends a confirmation request to a subscriber when it receives a request from that subscriber’s number to sign up for a WASP’s services.
MTN and Cell C implemented double opt-in systems two years later. Telkom didn’t allow WASP subscription on its mobile network at all and therefore did not need to implement double opt-in. While a double opt-in subscription system for WASPs was a welcome security measure, it was no silver bullet.
Several WASPs found ways to exploit opt-in notifications to trick subscribers into clicking on them and inadvertently sign up for services they didn’t want. MTN subscribers also fell prey to “click-jacking” attacks, where malicious software would take control of their web browser and subscribe them to a WASP.
Fraud detection with machine learning
To combat these emerging trends in WASP fraud, MTN said it rolled out several new anti-fraud measures. One of these is fraud detection and blocking software called Secure-D, which MTN implemented in 2018.
“Secure-D is embedded into MTN’s user consent page. In addition to using many deterministic methods to prevent fraud in real-time, it uses various machine learning models to help detect different suspicious activities,” the company stated. For example, programmatic button clicks and user agent spoofing use different models.”
After it implemented Secure-D in September 2018, MTN said it saw a blocking rate of 92% in 2019. Thanks to Secure-D having already blocked web ad fraud in 2019, which made the market landscape unattractive for fraudsters, the blocking rate reduced to 46% in 2020.
MTN said that despite its best efforts, it is aware that some click-fraud can bypass its systems.
“That is why we have implemented additional measures to prevent the scourge of click-fraud from impacting our customers. Even if a bot or malware has subscribed someone to a service, our double opt-in requirement forces a confirmation button to be clicked. In addition, we send an SMS to the customer advising them that they have been subscribed to a service and giving them 24 hours to cancel the subscription without being charged.”
The company said that in many cases it is this SMS from MTN which triggers alarm from customers, and they have not been charged because of this measure. “We also send a weekly SMS to customers for each service alerting them to the fact that they are subscribed, and including a link to unsubscribe.”
MTN said that since the implementation of the fraud detection software in 2018, as well as its strict policies and processes, it has seen a decrease of 73% of fraud-related queries across its customer support services.