Feeds

Serious security slip at BTOpenwoe

Credit card details unprotected

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Due to a serious security lapse, users signing up to BTOpenworld's ADSL service have been invited to send credit card details over an insecure internet connection.

A vulture-eyed Register reader, who tried to sign up to the telcom giant's domestic version of BTOpenworld, noticed he was invited to submit his credit card details over an insecure http connection. He had been trying to register for the home 500 service. He also discovered that orders for the broadband service submitted over the phone were input by BT's operators using the same insecure web page.

Unlike https (Secure Hypertext Transfer Protocol), which uses Secure Socket Layer to encrypt traffic between a server and client devices, http uses no security protection. As a result users who registered for the service allowed their credit card details to be transmitted in the clear - making it relatively straightforward for crackers to obtain those details.

The registration process also involved users submitting confidential personal details, such as home address, phone number and even a suggested email password, in an insecure manner.

A BT spokesman admitted the telco had made a serious security error but confirmed that the problem has now being fixed. He said the security and privacy gaff had happened during the process of upgrading the design of the Openworld site last Thursday.

"This issue, which affected only one of the products on offer, happened due to human error and has now being fixed. BT would like to apologise to its customers for this undesirable lapse in security," he said.

He added that a "thorough review and investigation of the incident" will be undertaken by BT into the incident.

Earlier this afternoon when we tried to register with the home 500 service, which involves a 500Kbps broadband connection for a set up fee of £150 and monthly rental of £39.99, we found it to be insecure. However by 15.30pm GMT, after the issue was notified to BT, a secure sign-up procedure was in place.

Wayne Sowery, technical director at security consultancy MIS Corporate Defence, said that whilst the vulnerability was in place in would have been "viable" for hackers to redirect traffic away from the Openworld site using an attack on DNS servers. Since http traffic can be cached there was a chance another user could see the details submitted, he added.

Sowery added the problem was doubly embarrassing for BT because through Trustwise BT was a provider of digital certificates, the very technology it had not implemented in this case. ®

To see a full-size screen grab of the insecure BTOpenworld registration page click the image below.



Related stories
BT wants Openwow not to Openwoe
BT's ADSL roll-out hits snags
BTopenworld security glitch reveals thousands of customer names

Related Link

BTopenworld

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Microsoft builds teleporter weapon to send VMware into Azure
Updated Virtual Machine Converter now converts Linux VMs too
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.