S 5.98 Protection from misuse of chargeable dial-in numbers

Initiation responsibility: IT Security Officer

Implementation responsibility: Head of IT, Administrator

Pay-per-use services offered in the internet are often billed on the telephone bill by redirecting the user to chargeable telephone numbers using special dial-in programs. For example, these may be 0900 numbers.

The web diallers used for this purpose are programs that set up a new internet connection on the computer. After downloading and installation on the PC, the dialler dials in to the internet. Any internet connection already established at this time is generally disconnected first. (However, this only works with dial-in connections and not with DSL connections or connections using similar technologies)

The pay-per-use content can then be retrieved using this new connection. The amount charged depends greatly on the telephone number the web dialler used to establish the connection. High costs may result from pay-per-call connections as well as pay-per-time connections.

What was initially designed to be a simple and anonymous payment method in the internet, is unfortunately being increasingly misused recently in order to install such web diallers on internet PCs without the user's knowledge. Such web diallers may be installed unobtrusively using Trojan horses or when retrieving a website, for example. In this case, they incur massive costs without the users being aware of it and without them receiving any appropriate service in return.

In order to protect themselves against such problems,

• the users should be provided with information as to the mode of operation of web diallers and how such malicious programs are distributed,
• itemised bills should be requested from the telecommunications provider for every internet PC (this is a free service in Germany),
• it should be considered to have "expensive" phone numbers such as 0900 numbers in general or certain blocks of numbers blocked,
• active content, particularly ActiveX, should be disabled as far as possible.

In general, no programs promising allegedly free or quicker connections to web sites with dubious content should be installed.

Review questions:

• Have the users of internet PCs been informed about the risks related to web diallers?
• Are itemised bills drawn up for every internet PC?
• Has it been considered to block expensive dial-in numbers for internet PCs?