Several police investigations are under way into misuse of people's Internet access passwords.
Detective Mike Chappell, of the Christchurch Police, says there are four investigations under way in that city and at least three in Auckland. They involve hackers getting hold of passwords from ISPs and distributing them elsewhere--in some cases via newsgroups.
Chappell doubts there's a single ISP in the country that hasn't been caught at some point by such activity.
One Christchurch hacker has been monitored by police spending more than 18 hours on line in a session. The individual is the subject of investigation after he allegedly appropriated a password file form one ISP.
"He then ships them off to his mates around New Zealand and then of course they go berserk dialling into all the ISPs using other people's identities and passwords. Everything gets charged up to the owners of those passwords."
It is this which is behind many of the complaints of over-billing in the industry, he says. And he says most ISPs are having to waive the charges.
One recent victim was the Internet Group, which had a password file taken about a year ago. The issue raised its head again when a former customer who had fallen out with the company publicised the fact that he had such information.
"At that time (when the file was taken) we told everyone to change their passwords," says managing director Nick Wood, who also says all information relating to the situaion has been passed to the police. “They're looking after it now.
"As you get bigger as a company hackers find you more interesting--the more they can feel like a hero if they get through. So what we've got to do is keep up with things and try to plug the gaps ahead of them. We do our best, but customers have to keep their passwords secure."
It's a comment echoed by Peter Saunders, general manager operations at Xtra. As well as much publicised security problems earlier in the year, the company has been involved in a number of complaints about over-billing.
The two aren't linked, says Saunders.
"There was no evidence that anyone had had their account used by someone else," he says. "There was a small group of people who had some problems that were entirely our fault, affecting their accounts. We ran some script that identified those affected. While we identified nearly everybody concerned over a two-week period at the end of September and credited their accounts, the problem was that because of some wider difficulties in the organisation we didn't send out the corrected bills until some time after that. So the problem had been fixed but people hadn't been told."
In at least one case a customer claims to have been threatened with having his phone cut off, even though his phone bill was paid up. Saunders disputes that this is "abuse of a dominant position", to use the language of the Commerce Act, and points out that Clear Communications is likely to face similar issues now it has an ISP of its own.
"I'm sure Clear will send bills to people, as we do, that will include the major services they offer, and there are the same remedies available to it as there are to any supplier.
"The issue with us, though, is that we're being very careful about how we exercise those, as we've had a period of some discomfort about the liability of our back-end system. The process is to work these issues through, rather than to say 'you pay or you stop'.
On the issue of passwords and security, he notes that nothing is absolutely secure.
"Anything that uses a password system, be it an ATM or an Internet account, is open to risk, although one would think it would be harder to break an Internet access password, which in our case anyway is eight digits--both letters and numbers--than a four-digit pin number."