A fraud thread: o2 + Boku + PSN

Soldato
Joined
11 May 2007
Posts
9,175
Location
Surrey
Well, it looks like some nice person has managed to spend £80 on their PSN using my son's phone number to make purchases. He doesn't have a Playstation or a PSN account and he assumed that the OTP SMS that he received was phishing.

I've reported the fraud to o2 already and told them to block any payments made on third-party apps (it's on by default, and the £0 spend cap we have enabled doesn't apply to third-party payments - ridiculous). Hopefully the money is recovered and more action is taken.

The payments are via a third-party platform called Boku. Looking at their Trustpilot reviews, it seems this is a common thing and that the company is an absolute **** show to deal with.

My understanding of how this has happened is as follows:
- Scammers buy 10,000s of phone numbers at a time
- Methodically input numbers into accounts (such as PSN) to see if any are associated with a number
- If a number is successfully added, they then look to intercept SMS messages:
- Bingo. Payment made, OTP captured, rinse and repeat.

Has this happened to anyone else?
 
The only part that's non-trivial is the intercept SMS messages part. How did this happen? Was any attempt made at social engineering ie contacting your son? Have you checked the phone for malware? Intercept is not bad for free.

Thanks for the reply, just installed that on his phone which hasn't come up with any issues.

I'm wondering if a 'free trial' of Malwarebytes or similar might be an idea.
 
Which phone is it? Some phones will have a privacy manager that will tell you what has SMS access, for Pixels it's Settings -> Security and privacy -> Privacy controls -> Permission manager -> SMS. I would check there if it's available and see if you notice anything suspicious. There's a chance AV apps will miss these, there's only so much they can do due to limited access to the deeper parts of the OS.

However this is assuming the intercept is happening on the phone... if it's on a network level, then it'll be up to O2.
 
Last edited:
Which phone is it? Some phones will have a privacy manager that will tell you what has SMS access, for Pixels it's Settings -> Security and privacy -> Privacy controls -> Permission manager -> SMS. I would check there if it's available and see if you notice anything suspicious. There's a chance AV apps will miss these, there's only so much they can do due to limited access to the deeper parts of the OS.

However this is assuming the intercept is happening on the phone... if it's on a network level, then it'll be up to O2.

He's got an iPhone of some sort. Which I assume is pretty secure and difficult to work around the built-in security measures.

Apparently, o2 have closed the case already... but they've not mentioned what the outcome is...
 
Sony have passed the buck to Boku. Boku don't have a call centre. Only a web portal support service.

Sony didn't seem to give a single ****. Really disappointed with their washing hands of it, despite me having transaction IDs for the purchases.
 
Boku got back to me and has processed a refund, which could take 1-2 months to be reimbursed to my o2 bill.

Sounds like Sony will ban the account the purchases were made from (though surely they should do an IP ban).
 
Action Fraud replied and said:

'It has not been possible to identify a line of enquiry which a law enforcement organisation in the United Kingdom could pursue.'

Or in other words, 'it's too difficult, so we can't be bothered'.
 
Back
Top Bottom