Last summer, Alphaville fell victim to a scam.
We know this is what they all say, but honestly – it wasn’t our fault. The scam was the result of undetectable malware which signed us up for a “games service” via our Vodafone phone contract, and extracted cash from our bank account over several months in the process.
This was a small and briefly infuriating episode which we had largely forgotten about until the PSA Authority, a telecoms regulator who we speculatively complained to last year, recently emailed us with the news that the company providing the service had been fined.
The scam cost us about £27 in total, which we eventually recouped through refunds. But it also hit tens of thousands of other people. And the overall experience provides a glimpse, in an age of internet transactions, of the rising capacity of malicious software to get hold of our money.
So here’s what happened. (Technically, this only happened to one member of the Alphaville team, but there’s safety in numbers).
On June 8, 2018, we received a mysterious text message, which read as follows:
We had never heard of, never mind subscribed to, applicateka, or NRS. And at the time, replying STOP seemed like a worse strategy than ignoring the text, so we ignored it. The assumption, at the time, was that the risk of losing money was low unless we actually did something. That assumption turned out to be wrong.
A month later, the next text arrived: a “reminder” that we were subscribed. At this point, we thought it at least worth checking our Vodafone statement. And, lo and behold, we had been charged £4.50 in the month of June. In the July statement, the monthly bill was £60.27, compared to the normal rate of £42.27. We had been charged £4.50 a week; the additional £18 appeared in the “other” section:
So in June, we lost £4.50, in July, £18, and in August, another £4.50. We received a text on Monday 23 July from the NRS-Group, confirming that the service had been deactivated (even though we cancelled in July, the billing month ran from mid-July to mid-August), after our request.
Somewhere around this time, we endured a series of calls with Vodafone customer service, where we tried to explain that we had not signed up for this service, and asked for a refund. It emerged that Vodafone, by default, allows third-party charges on its contracts – often for charity donations, or entering radio competitions.
Vodafone customer service disagreed about the refund, and pointed us to NRS Group, who we duly contacted. In September, NRS Group sent the following email:
The company in question, seemingly based in Spain, appeared to provide “games services”, although we had absolutely no idea what these would be, given we had never played any games on this particular phone. Even though the amount of money was not enough to ruin us, it was at least equal to a round a pints in London (an entirely separate scam). So out of principle, we complained to the regulator, which we had up, until that point, never heard of.
The Phone-paid Services Authority (PSA) regulates content, goods and services charged to phone bills in the UK. As above, phone contracts take money from your bank account every month. They have the power to essentially use your bank account to purchase other services – such as games, or charitable donations. In theory, this should be done with your consent.
In November, we received a refund of £27 in our Vodafone bill, meaning we only paid £22.42 that month.
A year after the whole debacle, we received an email from the PSA, which said: “In response to your complaint about this service, the Executive commenced an investigation”. The subsequent decision of a panel was that the service was in breach of the “Code of Practice”. Net Real Solutions received a formal reprimand and a fine of £200,000, alongside various other requirements it had to meet.
What had actually happened? NRS had received over 700 complaints since early 2017. The PSA generously published a 50 page document on the case. You can read it in its entirety here. There are several moving parts, but the important point – at least based on our own experience – is the malware.
The report refers to the “Level 1” provider and the “Level 2” provider. At the top of the report, the following disclaimer appears: “The identities of some third parties referenced in this adjudication have been anonymised”. We understand, based on subsequent question, that the Level 1 provider is a company called mGage. This company connects the “merchant” (NRS Group) to the mobile network operator (in our case, Vodafone – though in this case customers of other mobile network operators were also affected).
The “level 2” provider, Net Real Solutions, or NRS, gave the following description of its service to the regulator. A user clicks on a banner advertising “hundreds of games”, and then goes through to the following page:
We did not recall clicking on this page. In fact, we’re pretty much certain we didn’t. And it turns out that, thankfully, we hadn’t gone insane. It was the malware. According to the PSA report, mGage provided the following explanation of how it worked:
The malware affected the customer’s website whereby it allowed the merchant to raise a request for a new service, at this point before the page was loaded, the malware intercepted the url to Consent page and change it effectively to create a successful subscription.
By doing this the malware enabled the request to skip the first two pages of the payment flow (call-to-action and confirm-action) and call the create action (this is where the subscription is created) directly.
In other words, the malware was able to subscribe people without their consent.
It turns out that 33,450 people were subscribed to the service between May and July 2018 (also when we were). At £4.50 a week, that’s a cool £150,000 a week, or £8m a year. mGage suspended the service at the end of July 2018.
In its published statements for the investigation, NRS blamed the problem on “affiliate marketing” with a company referred to in the document as “Affiliate 3”. mGage also blamed this affiliate, but this company is anonymous in the report. That affiliate had signed a contract with NRS in December 2015 which prohibited certain behaviour, including prohibitions around malware.
The report also mentions the word “refund” a few times. We were initially refused a refund, you’ll recall, after NRS falsely claimed that we had in fact signed up for the service. In October, we received two texts saying we’d been refunded £4.50 each on November 2, 2018. In our November bill, we got the whole £27 back.
This meant we were no longer down, but we’d gone through quite a few hours of unbearable phone calls, emailing, complaining and generally wandering around in a state of agitated fury.
NRS Group did not respond to a request for comment for this article. mGage did not respond to a request for comment either. Vodafone, however, did provide a long statement. It said: “Vodafone does not directly contract with ‘merchants’ such as the NRS Group but instead we work with contracted third parties, called Trusted Payment Intermediaries (TPI)”.
The spokesperson went on:
Whilst many of these providers offer valuable services from one-off donations to large charities to single purchases in mainstream App stores, unfortunately fraud does occur. We take the security and protection of our customers extremely seriously, and operate a comprehensive monitoring program to ensure that all third-party companies in the value chain keep strictly within the industry regulation. To this end, Vodafone instructed the TPI to suspend NRS in mid-July 2018 after a malware incident was detected by our program.
We’re no longer down on this, and given we’re now reporting on it, with ourselves as one of the primary sources, we’re happy to forgo any compensation for the time.
This article has been updated to clarify the refunds.
Anatomy of a cryptocurrency scam — FT Alphaville
- ARK Invest’s Tesla model gathers dust
- A delirious defence of Uber
- WeLiquid: Adam Neumann pockets $700m
- Yesterday, in efficient markets
- The warm fuzzy feeling of indirectly owning Tencent
- The best of Morgan Stanley’s Adam Jonas
- Apple/Tesla: M&A and heartbreak
- Did Beyonce make $300m from Uber’s IPO?
- Bitcoin is the 10-year Treasury of our time
- High resolution music is a solution looking for a problem
- Amazon is furious about this negative review
- Missing: $500bn of American savings
- Blockchain for Brexit: a wonderfully terrible idea
- The Bank of Hodlers [sic] (sigh)
- Behind the curtain at China Ding Yi Feng
- An answer to Mark Cuban’s question
- Crumbs! It’s CRYPTO: the movie!
- National Beverage Corp loses its fizz, and its mind
- Amazon won’t spin-off Amazon Web Services
- Mensch! Dan McCrum is innocent, ok?
- Europe’s $1 trillion tax gap
- Why online propaganda mobs are an investment red flag
- Davos has produced an amazing new guide on precisely how not to think about risk
- When the public relations industry does PR for itself
- Who wants to be crippled by student debt?
- The bitcoin price is wrong
- The warm fuzzy feeling of Goldman debt
- “Cryptoassets” are crashing again. Is it time to start calling them cryptoliabilities instead?
- Puff the tragic cryptowagon smokes out the Mumsnet demographic
- Don’t write off the public sector
- Initiative Q: an elementary pyramid scheme with grandiose ideas [Update]
- Moral investments aren’t outperforming
- No one is killing it in crypto (not even Woz)
- Too smooth: the red flag at Patisserie Valerie which was missed
- No, the housing crisis will not be solved by building more homes
- Sorry Civil, ‘crypto-economics’ and ‘constitutions’ won’t save journalism
- ‘Short-termism’ isn’t a thing, say Fed economists
- Coinbase wants to be “too big to fail”, lol
- Regulation and innovation don’t have to be enemies
- Retailers get so lonely around the holidays
- Folli Follie: $1bn of fake sales, and what to learn from the debacle
- The new green evangelism
- Tilray, how low can it go?
- The ICO behind the tragic Everest stunt is now “airdropping” tokens from rockets
- Beware the Hindenburg Omen?
- The broken conversation about financial regulation
- The improbably profitable, loss-making Blue Prism
- The EM rout is not made in America
- Wages and growth and honestly we just give up
- Britain’s first blockchain-enabled co-working space isn’t blockchain-enabled
- There is a FIRE that never goes out
- The WeWork Garden of Eden
- IQE: lumpy ‘Apple’ sauce at the pricey Cardiff chip shop
- There’s only so much a central bank can do alone
- Eight questions every first-time buyer should ask
- MiFID II: not all doom and gloom
- Tesla: getting to Q3 profitability
- Turkey contagion fears are overblown [Update]
- The chance of an inflation shock may be higher than you think
- Sorry Tim, the humanity is not being drained out of music
- Digital crop circles
- What could go wrong here?
- Sirius Minerals: money for a hole in the ground
- The Bank of England has a strange idea of what QE achieved
- One for the ladies…
- ‘Of course, many ridiculous papers appeared’
- Is a change goin’ to come?
- The capacity’s not there yet (and probably never will be)
- Musk and Tesla are not inseparable
- Libraries, from Carnegie to Bezos
- Crypto & government: from anarchy to amity in the USA
- ‘I’m sorry Dave, I’m afraid I cannot sanction this Series B round’
- RBC, through the FANG barrier
- Self-help to buy
- CFA: Chartered crypto analysts — updated
- The Netflix dilemma — updated
- Fujitsu’s new blockchain offering: really cheap or really expensive?
- Nothing But the Shirt on Your Back
- Universities of Britain: cosying up to crypto is a bad look
- How to make a living in the cult of meritocracy
- Spotify: Drake-oil salesmen
- Oh, the digital humanity
- Sports are not markets, predictions ain’t investment
- Spot the difference, Steinhoff edition
- Larry Robbins, a cautionary tale
- The node to serfdom
- Carney is down with the crypto kids
- Samsonite: inventory, excess baggage, and unresolved questions
- It might be a long wait for “the equivalent alternative to ICOs”
- Don’t blame it on the sunshine
- In corporate America, brands develop you
- One in ten dollars of US housing were anonymous
- Should AT&T worry more about its debt?
- Who cares if Elon is incinerating capital?
- Let’s not try make ‘crypto chicks’ a thing
- Tokens all the way down
- Eight-dimensional chess with Elon Musk
- A lopsided trade is a good trade, Italian inflation edition
- How to buy Italian fire insurance
- Atlas bugged
- Inflating inflation
- Crypto’s most devout believers are suffering a crisis of faith
- Plus500: past performance is no guide to the future
- Noble rot in a shrinking Harbour
- In defence of ticket touts
- Please don’t tell individual investors to buy leveraged loans
- RIB Software: the unicorn rainy-day fund
- Retail is not dead
- Did Soros really give Tesla a “vote of confidence”?
- At a crypto conference in New York, it feels like 2017 all over again
- Egregious expectations – Intelsat edition
- Bitcoin cash is expanding into the void
- Stop getting The Flintstones wrong
- Bond investors do not care if Argentina is solvent in 100 years
- Ubiquiti Networks: of cash and borrowed time
- “We’re very disappointed in you, Spotify”
- ‘Sex redistribution’ and the means of reproduction
- Tesla probably needs to raise capital this year
- No entitlement crisis in America
- Free cash flow to whom?
- Hey crypto bros! Journalism ≠ advertising
- Human capital and the jobs guarantee
- This is a tech bubble, when’s the crash?
- The magic of adjustments: ebitla-dee-da
- FUD, inglorious FUD
- A complex analysis reaches same conclusion as simple one: hedge funds suck
- The jobs guarantee and human-capital “nationalisation”
- These hedge fund numbers can’t be right
- The Vomiting Camel has escaped from Bitcoin zoo
- Lies, damn lies, and charticles
- The world doesn’t need more Elon Musks
- No, Facebook should not become a nonprofit
- Sell all crypto and abandon all blockchain
- Immutable ledgers meet European data protection
- Amazon is not a bubble
- Japan’s economic miracle
- Have you ever meta crypto joke you didn’t like?
- Delaware should change its rules to let the light in
- Who needs the labels anyway?
- Baby Boomers want your family to finance a larger share of their retirement
- No, America would not benefit from authoritarian central planning
- No one needs to buy Tesla
- How to win a debate in the cult of meritocracy
- Steinhoff International and the case of Pepkor Global Sourcing
- Sorry Jack, Bitcoin will not become the global currency
- The “academic’s cryptocurrency” is an elegant waste of time
- Cigarettes are the vice America needs
- Well that’s one reason to buy yen…
- Musicians, don’t just blame the labels for your lack of dough
- Giving stock away to staff doesn’t absolve share buybacks
- A penny for Macpherson’s thoughts on the nominal anchor
- Monopoly and its discontents
- A State of Mind
- America is not the least protectionist country in the world
- This is nuts, when does Netflix crash?
- No Bloomberg, the world’s richest people did not lose $114bn…
- Someone is wrong on the internet, government employee pensions and passive investing edition
- Someone is wrong on the internet, possibly fragile
- Someone is wrong on the internet, consumer financial regulation edition
- Someone is wrong on the internet: tontine tokens [Update]
- Someone is wrong on the internet, road economics edition
- Someone is wrong on the internet, wages and the stock market edition