Feeds

Serious security slip at BTOpenwoe

Credit card details unprotected

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Due to a serious security lapse, users signing up to BTOpenworld's ADSL service have been invited to send credit card details over an insecure internet connection.

A vulture-eyed Register reader, who tried to sign up to the telcom giant's domestic version of BTOpenworld, noticed he was invited to submit his credit card details over an insecure http connection. He had been trying to register for the home 500 service. He also discovered that orders for the broadband service submitted over the phone were input by BT's operators using the same insecure web page.

Unlike https (Secure Hypertext Transfer Protocol), which uses Secure Socket Layer to encrypt traffic between a server and client devices, http uses no security protection. As a result users who registered for the service allowed their credit card details to be transmitted in the clear - making it relatively straightforward for crackers to obtain those details.

The registration process also involved users submitting confidential personal details, such as home address, phone number and even a suggested email password, in an insecure manner.

A BT spokesman admitted the telco had made a serious security error but confirmed that the problem has now being fixed. He said the security and privacy gaff had happened during the process of upgrading the design of the Openworld site last Thursday.

"This issue, which affected only one of the products on offer, happened due to human error and has now being fixed. BT would like to apologise to its customers for this undesirable lapse in security," he said.

He added that a "thorough review and investigation of the incident" will be undertaken by BT into the incident.

Earlier this afternoon when we tried to register with the home 500 service, which involves a 500Kbps broadband connection for a set up fee of £150 and monthly rental of £39.99, we found it to be insecure. However by 15.30pm GMT, after the issue was notified to BT, a secure sign-up procedure was in place.

Wayne Sowery, technical director at security consultancy MIS Corporate Defence, said that whilst the vulnerability was in place in would have been "viable" for hackers to redirect traffic away from the Openworld site using an attack on DNS servers. Since http traffic can be cached there was a chance another user could see the details submitted, he added.

Sowery added the problem was doubly embarrassing for BT because through Trustwise BT was a provider of digital certificates, the very technology it had not implemented in this case. ®

To see a full-size screen grab of the insecure BTOpenworld registration page click the image below.



Related stories
BT wants Openwow not to Openwoe
BT's ADSL roll-out hits snags
BTopenworld security glitch reveals thousands of customer names

Related Link

BTopenworld

Security for virtualized datacentres

More from The Register

next story
It's Big, it's Blue... it's simply FABLESS! IBM's chip-free future
Or why the reversal of globalisation ain't gonna 'appen
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
Microsoft and Dell’s cloud in a box: Instant Azure for the data centre
A less painful way to run Microsoft’s private cloud
AWS pulls desktop-as-a-service from the PC
Support for PCoIP protocol means zero clients can run cloudy desktops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.