Kits
ULTIMATE Member
I have brought this from another forum as it needs to be got to BT customers due to possible security issues.
To repeat and update earlier warning to BT customers who don't want to be involved with Phorm...
BT CUSTOMERS BEWARE
Do not log into the BT site, then visit any Phorm/third party operated BT.com web site.
Logging out is insufficient; it is necessary you delete all BT.com cookies.
Sites Potentially Affected Include
webwise.bt.com (hosted by Gyron Internet, operated by Phorm)
www.webwise.bt.com (hosted by Gyron Internet, operated by Phorm)
Explanation
BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites.
During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites).
Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com.
This creates a security and privacy risk for the following reasons.
A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions.
A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to obtain your email address, and link your email address and IP address simply by visiting their web site.
When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address.
Even when you log out of BT.com your btcom.userName cookie (which includes your email address) is persistent.
Confirmation
The 'BT Webwise Help Desk' said
"The bt.com site includes functionality which enables it to remember users for the duration of their session (i.e. from when they sign in to when they close their web-browser), in order to provide a smoother customer experience and prevent the need to repeatedly log-in or re-state preferences. This is done by using a secure single-sign-on solution which employs cookies. The design of that system prevents unauthorised access to a user's logged-in session."
"Phorm currently operates the Webwise information site (www.bt.com/webwise) on BT's behalf as a trusted partner and with BT's explicit consent (this approach is not uncommon). We are confident that this does not pose any security risk."
(Note the www.bt.com/webwise redirects to webwise.bt.com)
Cookies Affected
SMSESSION = (Netegrity site minder encrypted cookie)
btcom.userName = (email address)
btcom.dateVisited = (date of visit)
Conclusion
By allowing Phorm to operate a *.bt.com web site... BT may be giving your email address, and security credentials away to Phorm.
Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites).
---------- Post added at 14:50 ---------- Previous post was at 14:40 ----------
Further to above warning; K_nt Ersdfsdf said in this interview
"we fully anonymise users by not tying into anything at all that the isp knows about them whether its something in their database, whether its an IP address for example which we don't use at all"
Which is either untrue, or BT are giving him PII which he does not need to process. That's a violation of the DPA as far as I'm concerned.
Consequently it is not possible to Phorm to operate a BT.com web domain and remain compliant with DPA. Or BT need to stop giving customers email addresses and security credentials to Phorm.
Or preferably do something their customers might actually value instead.