Feeds

Serious security slip at BTOpenwoe

Credit card details unprotected

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Due to a serious security lapse, users signing up to BTOpenworld's ADSL service have been invited to send credit card details over an insecure internet connection.

A vulture-eyed Register reader, who tried to sign up to the telcom giant's domestic version of BTOpenworld, noticed he was invited to submit his credit card details over an insecure http connection. He had been trying to register for the home 500 service. He also discovered that orders for the broadband service submitted over the phone were input by BT's operators using the same insecure web page.

Unlike https (Secure Hypertext Transfer Protocol), which uses Secure Socket Layer to encrypt traffic between a server and client devices, http uses no security protection. As a result users who registered for the service allowed their credit card details to be transmitted in the clear - making it relatively straightforward for crackers to obtain those details.

The registration process also involved users submitting confidential personal details, such as home address, phone number and even a suggested email password, in an insecure manner.

A BT spokesman admitted the telco had made a serious security error but confirmed that the problem has now being fixed. He said the security and privacy gaff had happened during the process of upgrading the design of the Openworld site last Thursday.

"This issue, which affected only one of the products on offer, happened due to human error and has now being fixed. BT would like to apologise to its customers for this undesirable lapse in security," he said.

He added that a "thorough review and investigation of the incident" will be undertaken by BT into the incident.

Earlier this afternoon when we tried to register with the home 500 service, which involves a 500Kbps broadband connection for a set up fee of £150 and monthly rental of £39.99, we found it to be insecure. However by 15.30pm GMT, after the issue was notified to BT, a secure sign-up procedure was in place.

Wayne Sowery, technical director at security consultancy MIS Corporate Defence, said that whilst the vulnerability was in place in would have been "viable" for hackers to redirect traffic away from the Openworld site using an attack on DNS servers. Since http traffic can be cached there was a chance another user could see the details submitted, he added.

Sowery added the problem was doubly embarrassing for BT because through Trustwise BT was a provider of digital certificates, the very technology it had not implemented in this case. ®

To see a full-size screen grab of the insecure BTOpenworld registration page click the image below.



Related stories
BT wants Openwow not to Openwoe
BT's ADSL roll-out hits snags
BTopenworld security glitch reveals thousands of customer names

Related Link

BTopenworld

Beginner's guide to SSL certificates

More from The Register

next story
Ellison: Sparc M7 is Oracle's most important silicon EVER
'Acceleration engines' key to performance, security, Larry says
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Lenovo to finish $2.1bn IBM x86 server gobble in October
A lighter snack than expected – but what's a few $100m between friends, eh?
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Hey, what's a STORAGE company doing working on Internet-of-Cars?
Boo - it's not a terabyte car, it's just predictive maintenance and that
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.