Steve's Cellnet PR Response Page

This is a summary of Cellnet's response to the BBC1 "Watchdog" programme, aired on 11. March 1999. Cellnet are taking money from the credit card accounts of thousands of innocent people, even though they haven't got a Cellnet phone.

Cellnet Index page

Logotype of Telecom Securicor Cellular Radio Limited
used here for the purposes of illustration and fair comment only


Steve Pardoe's Comments on Cellnet's PR Response to Watchdog for 11/3/1999 (& minor correction 21/2/2001).

Some of the questions and answers (4 out of 10) were routine and not contentious. Six selected for comment below are conspicuous by the disingenuous or simply false answers which Cellnet gave.


Cellnet assert that credit card fraud is a reality across all industries, but this is precisely why all industries require some backup to credit card numbers at the transaction time: signature, PIN, card present (mag stripe), etc.  Only in Cellnet's model is the knowledge of the card number and expiry date, even in the absence of the card, sufficient to validate a Cardholder Not Present transaction where the user can remain anonymous. This information is not secret : it is printed on every credit/debit card transaction slip, and shop/garage till drawers are full of them.

Regarding the security checks which Cellnet carry out on top-up credit card payments, Cellnet say that as with all prepay systems, the credit card is checked through normal banking validation procedures and it is the banking system which determines whether the credit card is to be accepted for each transaction.

This is a disingenuous answer.  Of course the card will be validated by the banking system, that's the whole point, it's just not being used legitimately, which is what Cellnet fail to check.


When asked whether Cellnet or any other organisation can trace a prepay phone user who is using a stolen credit card to pay top-up fees, Cellnet say that fraudulent use of a credit card, for whatever purpose, will show up on the card holders' statement, and reimbursement will be made by the relevant bank. Cellnet say they are able to provide information to the police or the issuing bank on request.

This is another disingenuous answer. Cellnet told me (and didn't deny to Watchdog) that they don't keep any record correlating credit card top ups with phone numbers, so in fact they can't trace the user, turn off the phone or assist the Police with enquiries.

If it now suits them to say that they can, after all, trace the fraudulent user of a particular phone, why don't they tell me who it is that's been using my card number, or at least where the phone was bought and is being used, so I can avoid having my new credit card number compromised like the old one was?  Cellnet can't have it both ways, one of their statements must be untrue.


When asked to confirm that a hundred people have contacted Cellnet in connection with prepay phones and credit card fraud, Cellnet said that customers contacting Cellnet directly about alleged fraud are advised to contact their card issuer in the first instance.

In other words, it's not seen as Cellnet's problem, even though it's entirely their fault that the problem arises in the first place. They prefer to let the defrauded individual make all the effort, and take it up with his bank. 

Hands washed.


Cellnet say that they are implementing further security measures for buying top-ups with credit cards, and are already able to identify mobile phones which have benefited from misuse of credit cards and bar them from making calls, as well as passing details onto the issuing bank and the police.

As far as implementing further security measures is concerned, we shall be interested to see how and when Cellnet go about this, since they promised the programme that they would do this in a fortnight (from 10/3/1999), yet they have no record of to whom they sold up to 700,000 pre-pay phones.

Regarding the phone identification and barring, this is another dishonest answer : the contrary was stated by Cellnet to me, published on my website, stated on Watchdog, and not denied by Cellnet. The truth is that Cellnet have no way of correlating a card number and a phone number retrospectively, so their statement is meaningless. By the time the fraudulent nature of the transaction is recognised by the legitimate card holder, it's too late for Cellnet to do anything about it.

If Cellnet misled me and the programme previously, and they can indeed identify the phone, why do they not now tell me who has been abusing my credit card number, and start a prosecution?


When asked whether, if fraud was committed by the owner of a prepay phone using a stolen or compromised credit card, Cellnet would be able to apprehend or identify the individual, they replied that they were able to identify the mobile phones topped-up fraudulently and will assist issuing banks and police in their enquiries.

Again, Cellnet are being deliberately untruthful, either originally or now.  If they can identify the fraudulent phone or its user, why don't they tell me who it is, or even notify the Police directly? They keep falling back on the same inconsistent answer.


When asked whether, as a result of their Merchant Agreement, Cellnet would be liable for the loss if someone uses a credit card fraudulently to top-up their prepay phones, they said that the issuing bank is responsible for reimbursing the customer for any misuse of their card, and Cellnet ultimately suffers the loss in these instances.

This is yet another disingenuous answer.  Cellnet's loss is only air time, which costs them virtually nothing (almost all their costs are in the infrastructure and the constant polling of phones to locate them. Actual calls are at effectively zero cost to Cellnet)1.  All the risk and inconvenience is borne by the innocent person whose card number has been abused, which Cellnet deliberately made it so easy for someone to do, but for which they are not taking any responsibility.

1 Correction, 21. February 2001: "zero cost" strictly applies to calls to BT landlines or other BT Cellnet mobiles, but Cellnet would have to pay a termination charge to other mobile operators if such calls were permitted under the particular call plan in use. I'm happy to make this clear.


Summary (my opinion)

Cellnet's answers are at best disingenuous, and in some cases are simply false. 

In their reply to the programme, Cellnet are making no admission of responsibility for having deliberately set up a system which they knew to be insecure, and liable to put innocent card holders at risk.  The other cellular operators (Orange, One2One and Vodafone) insist on pre-registration by cardholders for precisely this reason.

Cellnet are being disingenuous at best in trying to treat this particular kind of credit card fraud (which they have uniquely encouraged) like any other form. This is simply untrue: theirs is a special case, and they know it. It will be interesting, if this ever gets to court, to have "Disclosure" of Cellnet's internal discussion documents, as a decision must have been taken at the highest level that the cost/benefit balance of such a deliberately insecure system was in Cellnet's favour.

Cellnet will certainly have carried out such a cost/benefit analysis, probably in partnership with their payment system software supplier, and decided that the cost to them of such fraud was negligible, and the benefits considerable.  All the risk and inconvenience would be borne by people who were mostly not Cellnet customers, so why worry?

This is disgraceful.

Cellnet seem unable to be truthful about whether or not they can trace fraudulent users.  If they can, why don't they do so, and let the defrauded parties know, so that prosecutions can be considered?  If on the other hand they can't trace the users, why do they persist in saying that they can?

This is not good enough. 

Cellnet should publicly declare that they deliberately implemented an unnecessarily and irresponsibly insecure credit card pre-payment system, knowing that it would expose innocent credit and debit card holders to risk and inconvenience, in their narrow pursuit of commercial advantage. 

They should accept responsibility and apologise publicly for all the inconvenience and cost they have caused to hundreds of people like me, rather than sheltering behind anodyne platitudes about the "unfortunate reality" of credit card fraud.  They know that they are directly responsible for this particular type of fraud, as a result of their commercial decision to implement an insecure system, and they should, now, act honorably and confess their guilt. 

A personal apology would not be out of place: so far, I have had none, beyond the general statement in their response to the programme, even though they have been reading this material and know my e-mail address.  Cellnet told me point blank that I would get nothing out of them, and in this regard, at least, they have been true to their word.

Steve Pardoe 18/3/1999

Back to Cellnet story page or our Watchdog page.


Website
©
Cellnet Home page E-mail to us if you have something to say about this!
[Cellnet fraud index page] [Site directory] [Home page] [E-mail us]