Pay Up, Or The Computer Gets It!

Ok, having been doing this stuff for a while I’ve seen a fair amount of questionable practices. It takes something pretty unique to get my goat (antivirus researcher pun intended) at this point. That said, what I found Micro Bill Systems doing had my jaw hitting the desk.

Following up on a post to the Grok.org.uk [Full-Disclosure] mailing list, I did some research (and yes, it was legitimate reasearch!) into the billing method used by sexxxpassport.com. Micro Bill Systems (MBS) provides the billing used by the site, and the model is rather unconventional, to say the least.

Sexxxpassport offers a free three-day trial to their adult site. All that is required is download and execution of the “Authenticator” software. (Note: most images link to original resolution versions)

The full terms (all 11+ pages) are displayed below this when clicking the link (which consists of that entire underlined text block shown). However, the user is not required to actually view the terms at any point before proceeding. In combination with the fact that the most alarming sections of the Terms begin around page 5, it begs the question of how reasonable it is to assume the user will have fully absorbed and understood them.

Furthermore, by offering access to the services without requiring any billing information it seems very likely the content providers are banking (literally!) on people assuming they can just stop accessing the site before the trial ends, without needing to affirmatively cancel the service, and all will be well. However, that assumption is woefully incorrect.

After three days (in accordance with the Terms), it’s assumed the user wishes to subscribe, and they are charged for 90 days worth of access at “less than 45p per day” (so, somewhere around £40, or approximately $80). Then the popups start.

The frequency and persistence of the popups is actually outlined in the full Terms & Conditions. In fact, it is very explicit about what the MBS software is going to do, with the forcefullness of the billing display ramping up over a few weeks.

Possibly the most alarming item of the Terms & Conditions is in Section 12:

12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline.

Yes, you read that correctly. They are claiming the right to disrupt and potentially completely disable use of your computer as a means to compel payment. Depending on the current display resolution of the system the locked billing popup can indeed obscure things to the point of making it unusable. The popup window will automatically restore itself if resized or moved. It also carries the “always on top” attribute, so it will cover other desktop elements or application windows. Though the disruption is limited in duration it appears that the daily display count for the billing reminder is reset if the system is rebooted, and so could occur more than once per day.

There are also clauses in the Terms & Conditions where fees can pile up quickly.

Depending on how you interpret (a), I could see it adding £25 a day for each beyond the 7th that you have an outstanding bill. Not versed in accounting, I’m unclear precisely the circumstances where (b) and (c) are to be applied.

The closest analogy I’ve come up with: You’re offered a free trial of satellite radio for your car. Then, a week later, you go to leave for work one morning and find a boot on your car, immobilizing it until you pay up.

The most they should be able to do, in my view, is cut off access to their services and refer the individual to collections. What it appears they are doing is, in my humble opinion, a form of extortion based on the (usually correct) assumption that a person’s computer will be key to many other activities in their daily life. Also, possibly with inadvertent/passive blackmail as a bonus: someone not wanting other family members or a spouse to realize they’ve been surfing for pornography, or perhaps even more dire, someone to see it on a computer at their workplace, and becoming desperate to silence the persistent billing popups.

Faced with such a situation, it is probable that most “customers” would quickly pay to regain control of their systems and avoid possible embarrasment. I strongly suspect the powerful social engineering leverage created by this situation is not accidental.

Additional details are available at the Avert Labs Threat Library page for MicroBillSystems.