In recent years, many markets around the world have transitioned to payment flows that use MSISDN and PIN verification, with the expectation that MSISDN/OTP filtering would help prevent payment fraud in Value-Added Services subscriptions. This raises an important question: does the MSISDN/PIN flow actually provide sufficient protection against fraud?
Based on observations from the Malaysian market—where we monitor the Maxis and U-Mobile networks, both of which primarily use MSISDN/PIN payment flows—the answer appears to be No. Over the past 12 months alone, Empello detected more than 100 auto subscription campaigns originating from services that were supposedly protected by MSISDN/PIN opt-in mechanisms.
The reason is that MSISDN/PIN alone cannot defend against attacks originating from malware apps. Fraudulent subscriptions are typically carried out in the following way: scammers upload seemingly legitimate and popular utility applications—such as junk cleaners, 4K HD camera apps, or barcode scanners—to the Google Play Store. These apps are embedded with Joker malware. Unsuspecting users download the apps, believing them to be legitimate utilities.
Once installed, the malware operates silently in the background. It can capture the user’s MSISDN, intercept or read the PIN, and automatically submit the PIN during the subscription process without the user’s knowledge. As a result, users may be unknowingly subscribed to VAS services they never requested or consented to.
In many cases, the only indication of the subscription is a welcome SMS notification. If the user notices the message promptly, they may realise that fraudulent activity has occurred. However, this can still result in lost airtime credit, and the user may need to spend additional time and effort going through the refund process. In some cases, these welcome SMS notifications may even be filtered into the spam folder, meaning the user may not become aware of the issue until they notice a significant reduction in their account balance over time.
Regardless of the scenario, such incidents lead to poor customer experience and can ultimately damage the mobile operator’s brand reputation. To effectively mitigate these risks, operators should complement MSISDN/PIN verification with advanced anti-fraud protection at the payment page level. Modern anti-fraud solutions can detect suspicious traffic patterns, identify malware-driven behaviour, and block fraudulent subscription attempts before they are completed. In addition to preventing fraud, these systems can analyse merchant traffic and identify partners that may be generating malicious or non-compliant traffic.
By combining payment authentication with proactive anti-fraud monitoring, mobile operators can significantly reduce fraudulent subscriptions while maintaining a safer and more transparent digital ecosystem for both users and merchants.