Fraud and airtime theft on Vodacom’s network
Fraudsters are using a gateway developed by Vodacom to steal millions in airtime from its subscribers – often the poorest South Africans – with virtually no risk of criminal charges.
Last week, MyBroadband revealed that Vodacom’s prepaid customers were targeted by rogue Wireless Application Service Providers (WASPs) which stole airtime from them on a mass scale.
After this article was published, MyBroadband received numerous complaints from both prepaid and contract subscribers who said their airtime was stolen by WASPs.
One industry player, who has been operating a WASP for over a decade, told MyBroadband that mobile operators are enabling this fraud and are well aware of it.
“No WASP can take a subscriber’s airtime without the operator fully knowing about it – and enabling it,” he said.
Another industry player told MyBroadband they have been battling with Vodacom about fraudulent billing on 129 prepaid SIMs for a long time, without much success.
“Vodacom has always seen this as a revenue stream and have confirmed the theft despite the misery caused. It’s criminal and should be thoroughly investigated,” he said.
He suggested that all mobile subscribers who have lost funds should be refunded and a penalty for allowing this fraud to occur should be levied.
How much money is stolen from subscribers?
Vodacom and other mobile operators have never released figures about how much money they make from premium-rated SMS and content subscriptions.
They have also not released accurate figures on the amount of fraudulent billing which occurs on their networks.
Two industry players previously told MyBroadband that billions in airtime have been stolen from mobile subscribers in South Africa over the last decade, but this cannot be verified.
The closest to a real figure was revealed in Vodacom’s Integrated report for the year ended 31 March 2019, where it said:
Digital services represented 2.8% of service revenue, a 0.4ppts decrease, following a 41% decline in subscription-based content services revenue, as a result of our stringent policies to minimise content fraud.
In the 2017/2018 financial year, digital services revenue was around R2.29 billion, which declined to approximately R2.11 billion in the 2018/2019 financial year.
According to Vodacom’s annual report, the R181-million decline was therefore mainly caused by limiting fraudulent content subscription services.
This figure gives a rough estimate of the scale of the problem and shows that Vodacom knows just how much money was stolen from their subscribers each year.
What Vodacom said about WASP fraud
When MyBroadband asked Vodacom about WASP fraud and airtime theft, spokesperson Byron Kennedy said they have been effective in reducing fraudulent WASP activity on its network.
“Following numerous measures implemented in 2018, fraudulent WASP activity has decreased substantially,” he said.
What is inferred by this comment is that fraudulent WASP activity and airtime theft were far more rampant prior to the new measures imposed in 2018.
This is of concern because Vodacom was aware of fraudulent WASPs stealing their subscribers’ airtime – and they provided them with the tools to do it.
Vodacom launched its WASP business model on 1 November 2002, and within months, 70 WASPs launched 103 SMS services.
Initially, these WASPs had complete freedom to bill any Vodacom number they wanted, and it was not long before reports of fraudulent billing emerged.
It was nearly impossible for Vodacom subscribers to block WASP billing or get their money back, which is why many simply threw their SIMs away and obtained a new number.
It was the Wild West, where mobile subscribers were sitting ducks for rogue WASPs to steal money from.
Vodacom was making so much money from premium-rated SMS and content subscription services that it did not want to interfere with this business model.
However, after media pressure related to WASP billing in 2008, Vodacom started to comment on WASP fraud on its network. Here is what it said:
- 2009 – This year, WASPA has instituted stricter measures to ensure fair business practice. These include the implementation of tighter rules, effective monitoring and control, and stricter sanctions against WASPs who breach the Code of Conduct.
- 2010 – Certain channels of communication such as SMS, MMS, USSD and the Internet can be used to perpetrate fraud against customers. Vodacom SA is a signatory to the Code of Conduct for Cellular Operators, which aims at preventing harmful behaviour by WASPs using the company’s network. The company has teams of testers who review WASP services for quality and compliance.
- 2012 – Vodacom was the first network operator to launch double opt-in business rules to make customers fully aware of pricing and related information when using wireless application service provider (‘WASP’) services. In the absence of a suitable technical solution, enforcing this standard has been difficult as the onus was on the WASP to comply. In response, we developed a way to enforce compliance and have taken full ownership of protecting our customers in this way.
The reality is that fraudulent billing and airtime theft by rogue WASPs continued, and Vodacom subscribers collectively lost millions in airtime each month.
The fact that Vodacom said “fraudulent WASP activity had decreased substantially” in 2018 means that it was significantly worse before that. This is 10 years after it said it was fighting unfair practices.
Measures to stop fraudulent billing and airtime theft
There are three measures which can help to prevent fraudulent billing or serve as a deterrent for this criminal activity.
- Block WASP billing by default.
- Refund all subscribers who have been billed by a WASP if they are found to be guilty of airtime theft.
- Lay criminal charges against WASPs which are found to be guilty of fraud.
Vodacom is unwilling to implement any of these measures, however, which means there is virtually no risk for WASPs who steal money from Vodacom subscribers.
If they are caught committing fraud using the gateways provided by Vodacom, the worst that can happen is that they must refund a small percentage of the money they have stolen and they will be banned.
To make the situation worse, Vodacom does not even require all WASPs which bill its clients to be members of WASPA.
Fraudulent WASPs can easily bypass the WASPA Code of Conduct – and therefore avoid sanctions like fines or suspension – by using Vodacom’s Charge To Bill service.
WASPA GM Ilonka Badenhorst confirmed they do not have jurisdiction over services where mobile operators do not require their partners to be members of the organisation.
Here are the reasons Vodacom gave for not implementing the measures above to protect their subscribers:
1. Block WASP billing by default.
Similar services around the world, such as Apple iStore and Google Play, are active by default and provide customers with the convenience of paying for content services and subscriptions without having to continuously re-enter credit card/payment details. Through the Vodacom payment platform, for example, customers can subscribe to the likes of Showmax, Deezer, and Office 365 in addition to hundreds of games, sport, and small business services.
2. Refund all subscribers who have been billed by a rogue WASP.
We seek to ensure that affected customers are fully refunded on first contact with Customer Care. We pass the large majority of credits to customers, if not for all queries, as our standard practice is to refund the customer first and then investigate the query later.
We have and will refund customers on a proactive basis. For instance, in 2018 we took a decision to make ex-gratia payments to customers simply on the basis that they had not made use of certain services.
3. Lay criminal charges against WASPs which are found to be guilty of fraud.
In terms of the criminal process in South Africa, only the defrauded party is permitted to open a police case. Vodacom is fully committed to assisting relevant authorities in instances where customers open criminal cases.
Kennedy added that they take a hard line in the event that a third-party contravenes any agreement they may have with Vodacom or the likes of WASPA’s code of conduct.
“We have, and will continue to suspend and terminate the services of WASPs and their affiliate content aggregators and will continue to investigate reported transgressions and then ensure that we take appropriate action,” he said.
Vodacom making millions from legal and illegal WASP billing
The reality is that Vodacom has been making millions from both legal and illegal WASP billing, and it is not prepared to lose out on this money.
Mobile operators take a large chunk of the money from premium-SMS and content subscription services.
If a subscriber is billed R1 for a premium-rated SMS, for example, the WASP gets anywhere between 3c and 15c of the price. The rest goes to the mobile operator.
Refunds are nearly negligible when compared to total WASP billing. In 2018, for example, refunds related to fraudulent WASP activity on Vodacom’s network only amounted to R6 million.
Industry players told MyBroadband they have been trying to convince Vodacom to stop this blatant criminal activity, but without success.
The sad reality, they said, is that the poorest South Africans, living in townships and rural parts of the country, are the worst affected.
“Vodacom has allowed rogue WASPs to steal airtime from the poorest South Africans for years,” one industry player told MyBroadband.
“I hope they realise how devastating it is for someone who only has R10 per month to buy airtime”.