The Register® — Biting the hand that feeds IT

Feeds

BT.com blats small privacy bug, ignores GAPING HOLE

Allow anyone to hike your bill? Yes, that's what we call customer convenience

By John Leyden, 27th November 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

BT has squashed a mild website privacy bug reported by a Reg reader - but the telco has refused to address a related issue that allows anyone to add paid-for features to any BT landline.

The latter problem, described by the telco as a "customer convenience", can be exploited using just a property's postcode and phone number to cause mischief and inconvenience.

However, the other flaw, which revealed the full name of the landline account holder, has been fixed.

The Reg reader who raised the alarm, himself a BT customer, wanted to upgrade his landline account using the "Phone & Calling Plan" packages section of BT's website. After clicking on "start your order" the website allowed him to add paid-for options, such as unlimited calls, to his phone account with just the telephone number and postcode of his home.

At the end of the process the website shows a button for punters to press to create an account with bt.com to view online bills. Our man said: "When I clicked on that button it pre-filled the form with the full name of the primary account holder."

Neither of these processes disclosed payment information.

But our reader argued that the process has insufficient security, and that the account number should be requested when adding extra paid-for services to an account. He was even more concerned about the display of an account holder's name on the sign-up form for online bills, which he argued may be in breach of the UK's Data Protection Act.

"You should not be able to order additional paid-for services with publicly available information," said the customer, who wished to remain anonymous. "The phone number and postcode of a property are freely given out on letterheads, websites and all sorts.

"One could easily make a nuisance of oneself ordering extra services for someone and BT would be happy to comply with those requests, it seems. They should ask for the BT account number as well at the very least, since that is not something that people give out."

In response, BT conceded that displaying the name of the account holder was a mistake and agreed to change its process to not show it. However the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account:

Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.

It should not have been possible to view the name of the account holder by entering just the phone number and postcode. Thank you very much for bringing this to our attention, we have taken the appropriate action to close this issue.

®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (26)
Highly Rated
Martin an gof

Related issue?

When we moved house three-and-a-bit years ago the person who was buying our old house was able to disconnect our BT line without our permission, perhaps a fortnight before the move, simply by ringing a BT call centre. Quite apart from inconveniencing us it made things difficult with the bank, the solicitors, the removal company and the children's school, all of whom had our landline number as first point of contact. Three or four days later our ISP also cut us off because the line was no longer "live".

Suffice to say we took the opportunity to move away from BT for our new phoneline, but despite all our protestations and communications with BT and (eventually) the regulator, the consensus was "these things happen, sorry, here's a month's rental back". This incident strikes me as very similar. With just a phone number and a postcode a third party was able to take all sorts of action against a phoneline that isn't theirs.

Have to say we've had great service from our new phone supplier who seem to have a callcentre somewhere on Mersyside with real people answering the phone who actually know what they're talking about and we now use them for our ISP too. For example, "fixed IP sir? No problem" rather than "what's an IP address? Oh, I don't know about that, I'll have to pass you on to someone else".

M.

10
0
Danny 14

just sign up BTs board to all the paid for services. Im sure that will help (that is unless they arent with virgin).

8
0
Androgynous Crackwhore

I smell a rat...

I bet BT don't make it nearly so easy to mischievously <i>cancel</i> someone else's "premium services"

5
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
122
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13