Feeds

Serious security slip at BTOpenwoe

Credit card details unprotected

  • alert
  • submit to reddit

Security for virtualized datacentres

Due to a serious security lapse, users signing up to BTOpenworld's ADSL service have been invited to send credit card details over an insecure internet connection.

A vulture-eyed Register reader, who tried to sign up to the telcom giant's domestic version of BTOpenworld, noticed he was invited to submit his credit card details over an insecure http connection. He had been trying to register for the home 500 service. He also discovered that orders for the broadband service submitted over the phone were input by BT's operators using the same insecure web page.

Unlike https (Secure Hypertext Transfer Protocol), which uses Secure Socket Layer to encrypt traffic between a server and client devices, http uses no security protection. As a result users who registered for the service allowed their credit card details to be transmitted in the clear - making it relatively straightforward for crackers to obtain those details.

The registration process also involved users submitting confidential personal details, such as home address, phone number and even a suggested email password, in an insecure manner.

A BT spokesman admitted the telco had made a serious security error but confirmed that the problem has now being fixed. He said the security and privacy gaff had happened during the process of upgrading the design of the Openworld site last Thursday.

"This issue, which affected only one of the products on offer, happened due to human error and has now being fixed. BT would like to apologise to its customers for this undesirable lapse in security," he said.

He added that a "thorough review and investigation of the incident" will be undertaken by BT into the incident.

Earlier this afternoon when we tried to register with the home 500 service, which involves a 500Kbps broadband connection for a set up fee of £150 and monthly rental of £39.99, we found it to be insecure. However by 15.30pm GMT, after the issue was notified to BT, a secure sign-up procedure was in place.

Wayne Sowery, technical director at security consultancy MIS Corporate Defence, said that whilst the vulnerability was in place in would have been "viable" for hackers to redirect traffic away from the Openworld site using an attack on DNS servers. Since http traffic can be cached there was a chance another user could see the details submitted, he added.

Sowery added the problem was doubly embarrassing for BT because through Trustwise BT was a provider of digital certificates, the very technology it had not implemented in this case. ®

To see a full-size screen grab of the insecure BTOpenworld registration page click the image below.



Related stories
BT wants Openwow not to Openwoe
BT's ADSL roll-out hits snags
BTopenworld security glitch reveals thousands of customer names

Related Link

BTopenworld

Providing a secure and efficient Helpdesk

More from The Register

next story
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
VMware's tool to harden virtual networks: a spreadsheet
NSX security guide lands in intriguing format
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.