BT Shuns Phone Privacy Bug that Exposes UK Customers to Abuse

BT has been accused of negligence after one of its customers discovered that the national telecoms operator had made it easy for anybody to gain access to personal customer account names and add unwanted services to another user’s phone line without their permission.

The flaw, which we were easily able to verify with a friends service, allows anybody with the phone number and postcode of a particular property to change the subscription service and gain access to additional personal details (full name of the account holder) through BT’s online “Upgrade your Calling Plan” service.

It goes without saying that such an easily accessible system with no firm security checks, except a basic check-box, could be abused for malicious purposes, although so far BT have only agreed to remove the account holders name from its public display.

A BT Spokesperson said (The Register):

“Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.

It should not have been possible to view the name of the account holder by entering just the phone number and postcode. Thank you very much for bringing this to our attention, we have taken the appropriate action to close this issue.”

Apparently knowing the phone number and postcode of a property, which can easily be found via the phone directory, is all the security that customers need. So far as we’re aware the vast majority of other telecoms operators and broadband ISPs tend to require at least a username and password before allowing anybody to make similar changes to their services, which is a more sensible approach.