How to Make Prepaid Phone Plans To Work Without Paying for it?
In order to prevent abuse, I do not specify the name of the operator.
It all started when I bought a SIM-card of an operator with a Pay-as-you-go tariff plan upon arrival in the USA. This is the most common tariff plan, that is, you pay per minute, message, megabyte, while you have a balance that needs to be replenished.
Everywhere I had Wi-Fi, and cellular communication was most likely needed for incoming calls and rare outlets on the mobile Internet. However, the problem of American operators is that your balance in the account may simply expire. Then he expired after 30 days, that is, the money in the account just burned. It could be transferred entirely to the next month, but for this, it was necessary to make at least some account replenishment. I decided to make minimal replenishment to stay in touch.
I went to the account on the operator’s site and tried to make a deposit from a bank card. As a result, after a few months, “useless” several tens of dollars accumulated on the account without a chance to spend it.
- As I walked past an operator’s outlet in one of the shopping centers, I saw ordinary top-up cards (scratch cards). They were the same denominations, as proposed for payment on the site. But apparently because of my intuitive craving for experiments, I decided to purchase such a card, again at $5. When the time came for payment, I began to consider the card. It seems to be the same principle as when you can simply type the command with the card number and activate it, or you can “roam” the USD menu (commands from the category *XXX#). Again, because of a desire to experiment, I decided to choose a long way from the menu. Among the options it was proposed to find out the balance, activate the scratch card, replenish the account with a bank card.
In Canada, I somehow always had only to deal with entering card data online, so paying by card through such a menu was interesting to me (after all, these payments were the subject of my diploma), although it seemed unsafe (again, in Canada, usually are acquired in a separate window of the acquiring bank, and not transferred to the seller in the open form), I decided to try. Immediately I was surprised by the proposal to enter the amount. That is, I was not offered a standard choice of sums, like everywhere else, but it was suggested to enter the amount. I chose $1, entered the card details in the next steps and the payment went through. It is easy to guess, then I tried to enter $0.01, it went too.
One could be glad that I no longer need to transfer $5 to my balance every month, but spend only 1 cent and complete the experiment. But after a couple of hours, wanted to look again at the account on the operator’s website and the replenishment options.
- So. I am offered to fill in the form with the card data, the amount, and so on. I keep track of what this POST request looks like with form submission. I copy, paste into Postman, try to repeat the request. The server responds with an error, it seems that some tokens in the form are expiring.
I decide to go in a simple way. I am offered to choose the amount from the drop-down list. Of course, this is some kind of select with a list option.
Only the value is obviously sent to the server. What do you mean by 5, 10, 30 after the hyphen, I understand, this is the amount of replenishment, but what does the first value mean? Are there also any constants in the source code or is the sum simply extracted from the data obtained?
I try. I put REG12-0.01 at one of the points, I enter the card data, I sent it. A message appears: “Thank you. $0.01 load amount has been credited to your prepaid number. ” The same amount was written off the card. Everything seems fine. You can choose any amount, although I have already discovered this feature through USD, no problem.
But here is the main point. I receive an SMS message to the number: “$30 was credited to your account”. The balance of the account is increased by this amount.
There were many such publications with various popular services on this site and probably will be even more. In the process of developing systems (especially not in companies with a strict IT focus), there are practically no tests/controls for security/vulnerability and it seems that the situation will not improve in the near future. Fortunately, no personal user data suffers here. It is difficult to even name this experiment as a burglary; in fact, the usual sending of the desired amount to the server takes place, in return for which the operator’s billing decides to replenish the balance by a thousand times more than the chosen one.