Flaw discovered allowing anyone to upgrade BT phone packages

A flaw has been discovered with BT’s website that can allow anyone to upgrade your BT phone package using just your landline number and postcode. A spokesperson for BT said:

Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.

While it’s nice that BT are trying to make it more simple for customers to upgrade their packages, the fact that they are dismissing this issue as a different level of security is very ignorant. What’s stopping a user having their package upgraded by angry relatives, ex partners or just hateful people in general? What come back does the end user have, especially if they fall victim to a malicious person?

However, an additional bug that displayed the name of the primary account holder at the end of the upgrade process has been fixed. But does this alone not suggest to BT there is an issue with the process in general? If they are confident that the person performing the upgrade is the user/subscriber, why hide their name?

Source: PC Pro

Report a problem with article
Previous Story

Sony's credit rating downgraded to speculative

Next Story

More delays for the Samsung ATIV S

10 Comments

Commenting is disabled on this article.

Mr Spoon said,
Although I would suggest LOTS of people are no longer with BT these days.

I am but I just wish Infinity (and any fibre optic would appear) would be activated round here

I would hope that they send you a notification of a change of service giving you time to act(rant at BT) before you incure some costs.

I expect that they WILL come under investigation by OFCOM for this unless they do something to fix it soon

LOL WHAT?

I bet it's fairly easy to get back into your own package, if not for the PR disaster, but although I fear this will be overblown by media, I do think it's a terrible "service" - a disservice actually.

GS:ios

Glassed Silver said,
I bet it's fairly easy to get back into your own package...

You've obviously never had to deal with BT.

Well that's just daft of British Telecom.

I'm kind of glad I'm still under a Virgin Media contract but was thinking of switching to BT when the contract expired as they are a little cheaper. But they really need to fix this flaw first imo.

StevenNT said,
Well that's just daft of British Telecom.

I'm kind of glad I'm still under a Virgin Media contract but was thinking of switching to BT when the contract expired as they are a little cheaper. But they really need to fix this flaw first imo.

What's more worring is you can buy the telephone directory software, lookup someone via their phone number, and it'll already give you their name of the account and full address including post code. It works via postcode lookup too, or name lookup and I'm betting someone with a bit of trickery know how can do something along the same lines via facebook integration...

But if they're that lax on the security on their website open to anyone and everyone...it does make me wonder what kind of protection they use against social engineering their call centres... something virgin media have fallen foul of a few times in my own experience.

sagum said,

What's more worring is you can buy the telephone directory software, lookup someone via their phone number, and it'll already give you their name of the account and full address including post code. It works via postcode lookup too, or name lookup and I'm betting someone with a bit of trickery know how can do something along the same lines via facebook integration...


Huh? Does that for all phone providers unless you state ex-directory...

n_K said,

Huh? Does that for all phone providers unless you state ex-directory...

putting it all together, a rogue person could use the data from the directory to 'nuke' everyone's account in an automated way... or they could lookup social contacts to abuse them via changing their phone account.