Protection against hackers not good enough, say police

2.00pm

Leading New Zealand internet service providers (ISPs) are not going far enough to protect customers from hacker fraud, says a police cyber-crime expert.

Electronic Crime Unit national manager Maarten Kleintjes said that fraud cases, where hackers accessed the internet with another person's user name and password, were on the rise.

He said a ring of teenage hackers had defrauded about 100 Wellington internet surfers in November, using their passwords to rack up several thousand dollars in internet charges. Police arrested the culprits after ISP Paradise Net identified the fraud and alerted them.

But he said some ISPs, including Telecom's Xtra which has 400,000 users, were not taking simple steps to minimise fraud and help police catch culprits.

Those steps included restricting residential account access to one user at any one time, using caller ID to log the phone numbers of people accessing an account and restricting dial-up access to phone numbers specified by customers.

"If you tried to go on the internet, but couldn't because someone else was already using the account, that would be an immediate flag that fraud was occurring."

Consumers Institute chief executive David Russell said it was hypocritical for Telecom to hold users liable for fraudulent use of their account when they themselves were not doing everything in their power to stamp it out.

"Telecom's whole approach smacks of corporate arrogance," he said.

But Xtra spokesman Matt Bostwick said that if customers had virus protection software that they regularly updated there should be almost no risk of their computers becoming infected with trojan viruses that allowed hacker access.

He confirmed Xtra did not take the steps Mr Kleintjes suggested, but said that if crime was suspected the ISP could request caller details from Telecom.

He did not know how difficult it would be to implement Mr Kleintjes' suggestions, but said they could mean less flexibility for some users.

He said most cases of fraudulent internet account use were not hackers, but friends or family members who physically read the user name and password off another person's computer.

In those cases it made sense that the account holder remain liable, as they had a far greater chance of recovering the money from the culprit than Xtra.

- NZPA