Every two years my phone contract expires. This is the maximum duration of a phone contract for an individual so I have to spend some time on updating it every now and then. The problem is that every time there are new offers and usually your old plan is not available. So you have to find a new one.
After looking at the new plan catalogue of my carrier, I figured that for the same specs (talk time, SMS and bandwidth) I need to pay a little bit over 2.5x more money than before. Of course, that is something no sane person would do. So I started looking at the competition for solutions.
Sooner or later, I eliminated some possibilities because they provided some amazing discounts I couldn’t believe they were real:
Yup, I couldn’t believe it either. They offer the 25€ plan for only 27€!!!
After eliminating one more carrier I narrowed it down to two.
I figured I would call the competitor first since one of them is my current carrier.
Like almost everyone else, they have a Callback feature on their website where you can enter your phone number and have it securely transferred over HTTP to them and placed in a queue so they can call you.
This carrier, like some others in the same country, calls you, and the moment you pick up the phone they hang up, presumably so they can cut down their costs. That’s how they offer the best experience for wannabe customers.
To the best of my knowledge the only carrier that doesn’t do this is my current one.
I tried this feature 3 times and all three times they hung up two seconds after me picking up. This annoyed me a lot. I didn’t want to call their number because they didn’t want to call mine. So I had to somehow make them lose this cold war.
I suppose it’s a good thing I am a Computer Scientist. After examining the request sent, I figured out it is a simple POST
request to the web server with no rate limiting. That’s good. You probably already know where this is going.
Now consider this a simple exercise. Let’s examine the request that is being sent:
There are some static fields there that I suppose never change and of course the phone number. They are also security aware and include a CSRF Token. Bonus points for that.
Brute forcing a URL with a CSRF token can be nasty. You need to first send a GET
request, parse the output, extract the CSRF Token and then send the POST
request. Right?
Well, not really.. Vodafone does a common mistake of not invalidating the token after its use. That means we can add this token manually and then keep using it for as many times as necessary. Awesome!
Now that we went over some technical details of the form they use, let’s move to something completely unrelated. I wrote a Python script that makes use of the requests
library and I added a feature that measures how fast it can send a specific request to a specific URL. Here’s part of the output:
[!] Initializing CallMeMaybe.py
[!] Loaded target: [REDACTED]
[!] Loaded token: [REDACTED]
[!] Preparing request engine...
[!] Done!
[>] 1207 Requests / second
[>] 871 Requests / second
[>] 1311 Requests / second
...
I was benchmarking my script when suddenly my phone rang which interrupted the process. It was Vodafone. Who could have guessed?
An employee told me his name and then asked me politely how can he help me. I gave him some information about my current plan and then asked him if they, as a competitive company in the market, have a better plan for me so I can switch to them.
I gave him a couple of seconds and then got back a reply I never expected to hear from a sales rep:
Well, we currently don’t have anything cheaper, thanks for calling!
And then the familiar tone when someone hangs up the phone.
Very interesting. I guess he was either too bored to talk to someone, alone in a call center, or didn’t want to spend more money in a call he was maybe forced to make. Or all three of them.
Wind is employing this tactic on cold calls (hang up and wait for the target to call back), Vodafone is probably doing this only in their website form. Cosmote does not do this to the best of my knowledge. So far I had terrible experience with all three carriers in this country: