A report in the current issue of c't magazine reports on multiple cases of Samsung smartphone owners being tricked out of money for online services or vouchers - the most used are XBox points, as these are easy for the crooks to turn into money.

http://www.heise.de/security/meldung/Mo ... 22758.html

The problem seems to lie in the Samsung find-my-mobile service, which is available over a portal to allow lost or stolen phones to be tracked by their owners. The site gave the option of having SMS and phone calls diverted to another phone.

Using the "pay-by-phone" options on many online stores, where the user enters their mobile number and they receive an mTAN by SMS, which they have to enter into the site, the fraudster would enter the hijacked devices SMS stream and when the mTAN arrived, enter it into the site where they had just entered the mobile number and they would get the link to download the XBox points etc.

The owner of the hijacked device doesn't know what is happening, they just get a message from the Store talking about a transaction, many people ignore them as spam, because they have never heard of the online stores that are being used.

The amount of the transaction is then added to the users phone bill.

Heise spoke to Samsung and they didn't admit liability, but the redirection of calls and SMS mysteriously disappeared from the options on the find-my-mobile site.

It is not clear how the fraudsters got access to the service, although Samsung were caught out at the end of last years, because their devices were sending the login details for the service in the clear! This has since been changed to sending them over an SSL connection, but Samsung neglected to warn users to change their passwords.

If caught out by this, the telephone service provider usually denies all responsibility and points to the third party payment provider. They in turn deny responsibility, because the process is "secure" and the SMS with the mTAN was sent to the phone in question, so nobody without access to the phone could have entered the mTAN.

The recommendation for affected Samsung owners is to report the case to the police and then contact the payment companies to have their money reimbursed. Additionally people should contact their mobile provider and tell them not to accept payment requests from third parties.

Anyone can make a mistake and fraudsters are ingenious and will often find unusual ways to use perfectly innocent services but Samsung's behaviour after the event looks pretty shoddy TBH.

Not just Samsung, but all the companies involved. They should all be charged as accessories to fraud unless they actively stop it or assist in recovery of stolen funds.