BT Shuns Phone Privacy Bug that Exposes UK Customers to Abuse
BT has been accused of negligence after one of its customers discovered that the national telecoms operator had made it easy for anybody to gain access to personal customer account names and add unwanted services to another user’s phone line without their permission.
The flaw, which we were easily able to verify with a friends service, allows anybody with the phone number and postcode of a particular property to change the subscription service and gain access to additional personal details (full name of the account holder) through BT’s online “Upgrade your Calling Plan” service.
It goes without saying that such an easily accessible system with no firm security checks, except a basic check-box, could be abused for malicious purposes, although so far BT have only agreed to remove the account holders name from its public display.
A BT Spokesperson said (The Register):
“Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.
It should not have been possible to view the name of the account holder by entering just the phone number and postcode. Thank you very much for bringing this to our attention, we have taken the appropriate action to close this issue.”
Apparently knowing the phone number and postcode of a property, which can easily be found via the phone directory, is all the security that customers need. So far as we’re aware the vast majority of other telecoms operators and broadband ISPs tend to require at least a username and password before allowing anybody to make similar changes to their services, which is a more sensible approach.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« EE UK Boosts Mobile Broadband Usage Allowances at No Extra Cost
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Aha – so if I want to know if someone has Caller Display and knows whether it’s me calling or not, I can go onto the BT website, put their phone number and postcode in, and find out?
This sort of negligent security leak is really appalling for any company, let alone a major one with IT offerings (!). I’d be hanging my head in my hands if I’d coded that.
You know why they can’t/won’t fix it?
Because it was coded by some crackhead in India, and they cant find him.