For many communication services, realized for example with the aid of a intelligent network (IN), such as for example Virtual Card Calling (VCC), Universal Personal Telecommunication (UPT), remote access to Virtual Private Network (VPN) and multimedia services, authentication methods are used to check the caller's access authorization to the communication service and to allocate the fees to him.
Such authentication methods are usually based on the input of a user identification (e.g., a card number) and, if warranted, a personal identification number (PIN) as well. The user must keep these authentication data secret.
The foregoing authentication methods can offer only limited security. This is because valid authentication data can in principle be determined by trying out a large number of data, and can then be used abusively, e.g. in order to carry out communications at the expense of someone else.
If this misuse (illegal use) is to be impeded by the use of numbers with a larger number of digits, acceptance problems arise, since very long inputs are then necessary in normal use (legal use).
An impedance of misuse can also be effected in principle by charging fees for unsuccessful authentication processes. However, this charging of fees cannot take place to the account of the user, as actually desired, because at the time of unsuccessful authentication processes the user has not yet been identified. In place of this, a charge to the account of the terminal used is on the other hand undesirable for the legal use of these services, because it contradicts the fee principle of these services. This is because according to this fee principle, the terminal used should remain free of fees, because the terminal used in these services may belong to a third party.
The result of the above is that, under the control at a PC, thousands of authentication attempts can be carried out abusively (with a chance of success) without any fees thereby arising for the abusive caller (illegal user). The misuse can thus be practiced commercially.
Due to the circumstance that unsuccessful authentication processes are free of charge, a further case of misuse is also made easier. For reasons of security, access to a service is as a standard procedure blocked for a user if, given his identification, a predetermined number of false PIN entries is exceeded. Persons with malicious intent can make use of this to block access to services for others deliberately and without incurring fees.