Web Sites Allow Billing Others for Services They Do Not Want
Emagined Security’s CEO, David Sockol, recently sent me a message in which he said that he had just received a piece of spam that lead him to an interesting discovery. Anyone who visits sites such as www.fanbox.com can enter anyone’s cell phone number and that owner of the cell phone will start getting charged $9.99 a month for services that the owner very likely does not know about. The owner does not have to authorize such a transaction, and does not even need to be involved in any way. Anyone can enter any cell phone number. Worse yet, spam that convinces people to enter their own number is circulating.
Unbelievably, telecom carriers allow charges such as those described above. If you do not believe me, go to FanBox’s Web site and look at the screenshot. You can enter anyone’s phone number in the field titled “Mobile Number.” An AT&T representative confirmed that companies such as FanBox allow people to enroll virtually any cell phone number for services, resulting in the owner of that number being billed. According to the representative, this kind of thing happens all the time, only with the service fees often being much higher than $9.99 a month.
Electronic harassment has been around for years. The traditional electronic harassment scenario is that a jilted lover or hostile co-worker repeatedly sends harassing email messages to a targeted person. Then instant messaging and texting came into being, and with them came the opportunities to bombard someone else with short, hostile messages. Now someone with a grudge (or someone who wants to play a prank) can sign a targeted person up for services that will cause that person considerable trouble–bills for undesired services, the hassle of having to cancel services, and so on.
About seven or eight years ago a new University of California employee got into trouble almost immediately during his short career there. Shortly after starting to work there, this person had signed up his supervisor from his previous job for a number of services that cost far more than $9.99 a month. This new employee ostensibly had intense negative feelings towards his ex-supervisor, something that apparently triggered his having enrolled his ex-supervisor for all the services. The ploy backfired–the new employee’s actions were detected through normal network monitoring, and not long afterwards, the employee was fired.
There are two morals to the story here. First, why does the Federal Trade Commission or anyone else for that matter allow billing for services that someone does not authorize? It is against the law to use someone else’s credit card number to purchase something, so why is it not against the law to use a Web site to enter someone else’s cell phone number to enroll the owner for some service that the owner does not want? Clearly, someone is asleep at the proverbial switch here. And secondly, organizations need to have provisions in their acceptable use policies that forbid employees and contractors from using an organization’s computers and computing facilities to sign up someone else for a service that the other person does not authorize.