Blog: How Tos

consultant-placeholder13 Antonio Cassidy 25 Apr 2014

Nobody likes having to dial a premium rate number, especially to a business that’s already pocketing your money for something!

UK Premium rate numbers are split as follows:

  • 0871,0872 or 0873 – Customer service lines/sales/bookings
  • 070 – Call diversion used by small business and sole traders
  • 09 – Competitions/TV voting/rude things

Access to these numbers from either a landline or mobile phone can incur large fees. Some mobile network operators in the UK charge for calls to 0800 numbers too.

To give consumers a way around this, the website was setup to act as a database of alternative local rate numbers for these businesses. The website has been mentioned by the BBC and a raft of UK newspapers. The site allows users to search by either a company name or telephone number and have local/national alternatives displayed. Take the following example of results for the search term “


By calling any of the 01/02/03 or freephone numbers we can talk to our bank without having to pay the 0844/0845/0870/0871 premium rate. Excellent, or so you would think!

The website has telephone numbers split into two categories “Main” and “Unverified”. The use of the word Verified is really misleading though. Here’s their “Verification” process:

  • Main Database – A number that has been checked and at the time it was checked worked correctly. Please let us know of any numbers that no longer work as expected.
  • Unverified Number – A number that has been added by a visitor to the website, and hasn’t yet been verified as correct. Please use the Contact Us link at the top of the page to let us know if these work (or don’t work) for you.

That’s right, no checks are made (nor could any be made) to verify that the local/free number actually belongs to the company.

So, why would this be interesting to a crook?

Let’s say our attacker was to pick a selection of companies who regularly receive sensitive information over the telephone: banks, utilities, online retailers etc. Can you see where we’re going with this?

An attacker could setup a call relaying service, which presents a local/free rate number and directs the call towards our target organisation. Something like Asterix would do the job for you, plus a cheap presentation number. You simply proxy and record the traffic.

So, now we can record any information such as banking details, passwords or credit card data, without the caller or the target knowing anything was happening.

How do you publish the number? Stick it on SayNoTo0870! They “verify” the number by dialling it, they get through to the correct business. “Verified”.

Of course our attackers would need to pay for the connecting call to the target, but of course they would search SayNoTo0870 first for a local rate number ; )

In short only use local rate numbers to conduct sensitive business if you can verify the source of the number i.e. from the company website/stationary etc. Using unverified numbers is fine for non-sensitive calls if you don’t mind that your call could be recorded!