The Ministry of Posts and Telecommunications is warning Internet cafes that they will be “punished severely” if customers access Internet accounts illegally.
Ministry officials are also urging Internet users to protect their passwords to prevent theft of Internet time.
Local Internet providers have received complaints from several customers recently who say their accounts have been used without their knowledge, with a few cases resulting in Internet bills of several hundred dollars.
Part of this is being blamed on a computer program available for free on the World Wide Web and now circulating in Phnom Penh that allows hackers to steal passwords stored in computers.
The problem of illegal Internet access surfaced recently when a local computer consultant accused the fledgling Internet cafe Khmer Web of using his account to run up a $2,500 bill. The owners of Khmer Web agreed to repay the bill, but say they are free of blame, contending it was their customers who accessed the account.
Internet cafes will now be accountable, even if employees are not involved, said Koy Kim Sea, undersecretary of state for the Ministry of Posts and Telecommunications and general manager of CamNet. Internet cafes can be fined or shut down if they violate the new regulations, he said.
Cambodia’s two licensed Internet providers, CamNet and Telstra Bigpond, are working with the ministry to thwart the theft of Internet time. They are studying phone records to pinpoint strange usage patterns and find out who is tapping into accounts without permission.
Until recently, it was assumed that unauthorized access of Internet accounts was “social hacking” done by a person who knows the account owner and has learned the password.
Computer consultant Bill Herod said he believed this was the case in Khmer Web’s use of his Internet account.
But with a hacking program available on the Internet, any password stored in a computer can be stolen.
If a computer is set up to save passwords in a Windows program, the information is stored in a Windows directory file called “user.pwl.” The password is encrypted, so it appears as scrambled text. The hacking program allows the user name and password to be accessed.
The program is available for free on at least one Internet site that supplies tools for hackers and can be downloaded to a disk then used to read passwords stored in computers. If a computer is connected to a network, the password and user name can be accessed from any network computer within a few seconds.
Herod, who learned of the program a week ago, ran a test, creating an account user name with a password known by only one person. Within a few days, the account had been accessed, confirming that the password was taken by a hacker.
Thay Thida, a supervisor at Cafe Asia, said the staff keeps an eye on its customers. “We have to look after them to see what they’re doing,” she said.
Anthony Alderson, partner in Cafe Asia, said he welcomes the regulations even though it means Internet cafe owners now will be liable for their customers’ actions.
“I would like to see the Khmer Internet business as a thriving business, but we all have to be on the same playing field,” he said, referring to allegations that Khmer Web was able to charge cheaper fees, thus undercutting the competition, by stealing Internet time from other accounts.
Currently, Internet cafes use dial-up accounts, making it possible for their passwords to be used by others. Cafe Asia has applied for a lease line connection that charges a flat fee for a continuous hookup and does not require a password. “For Internet cafes, it seems the most legitimate way of standardizing the business,” Alderson said.
The lease-line connection is expensive, starting at about $1,500 a month.
There is, of course, a cheaper way to protect an account, said David Lewis, Internet manager of Telstra Bigpond.
“If you change your password, no one can get in,“ he said. “It’s just common sense caution.”