BT has been accused of negligence after one of its customers discovered that the national telecoms operator had made it easy for anybody to gain access to personal customer account names and add unwanted services to another user’s phone line without their permission.
The flaw, which we were easily able to verify with a friends service, allows anybody with the phone number and postcode of a particular property to change the subscription service and gain access to additional personal details (full name of the account holder) through BT’s online “Upgrade your Calling Plan” service.
It goes without saying that such an easily accessible system with no firm security checks, except a basic check-box, could be abused for malicious purposes, although so far BT have only agreed to remove the account holders name from its public display.
A BT Spokesperson said (The Register):
“Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.
It should not have been possible to view the name of the account holder by entering just the phone number and postcode. Thank you very much for bringing this to our attention, we have taken the appropriate action to close this issue.”
Apparently knowing the phone number and postcode of a property, which can easily be found via the phone directory, is all the security that customers need. So far as we’re aware the vast majority of other telecoms operators and broadband ISPs tend to require at least a username and password before allowing anybody to make similar changes to their services, which is a more sensible approach.
Comments are closed.
Aha – so if I want to know if someone has Caller Display and knows whether it’s me calling or not, I can go onto the BT website, put their phone number and postcode in, and find out?
This sort of negligent security leak is really appalling for any company, let alone a major one with IT offerings (!). I’d be hanging my head in my hands if I’d coded that.
You know why they can’t/won’t fix it?
Because it was coded by some crackhead in India, and they cant find him.