BT has squashed a mild website privacy bug reported by a Reg reader - but the telco has refused to address a related issue that allows anyone to add paid-for features to any BT landline. The latter problem, described by the telco as a "customer convenience", can be exploited using just a property's postcode and phone number to …
Look it up on BT.COM
"However the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account:"
The BT online phone directory will give you the number and postcode for anyone that is in its search data.
Not sure whether the paper directory still lists postcodes in people's entries - the new tiny print format is a sort of obfuscation security.
So something like this does *not* need a customer reference number.
AFAIK anyone talking to BT *without* their ref # get the "This is in breach of our data protection responsibilities" BS.
Exactly correct. All you need is the phone number, the postcode, and you have to tick a checkbox confirming you are the account holder. Apparently this last thing is very important, according to BT, and makes it all ok. :o)
the BT website is a monument to functional death
Unfortunately nobody has yet made a monument to the functional death to every single one in the PR department who came up with that reply.
just sign up BTs board to all the paid for services. Im sure that will help (that is unless they arent with virgin).
That occurred to me, but then I suspect they have everything by default anyway, so won't be affected.
You probably need to sign up those outside BT to create a fuss. Perhaps a few cabinet ministers, MPs, police commissioners and Fleet Street journalists.
Before someone from Anonymous or similar starts signing up the whole country to these extras?
I wouldn't put it past them to use a script to do it automatically!
That would be illegal, and immoral (but then isn't what BT are doing also illegal and immoral?)
My father got his incoming calls silently redirected as part of a banking scam earlier this year. Wonder if this is how they did it?
When we moved house three-and-a-bit years ago the person who was buying our old house was able to disconnect our BT line without our permission, perhaps a fortnight before the move, simply by ringing a BT call centre. Quite apart from inconveniencing us it made things difficult with the bank, the solicitors, the removal company and the children's school, all of whom had our landline number as first point of contact. Three or four days later our ISP also cut us off because the line was no longer "live".
Suffice to say we took the opportunity to move away from BT for our new phoneline, but despite all our protestations and communications with BT and (eventually) the regulator, the consensus was "these things happen, sorry, here's a month's rental back". This incident strikes me as very similar. With just a phone number and a postcode a third party was able to take all sorts of action against a phoneline that isn't theirs.
Have to say we've had great service from our new phone supplier who seem to have a callcentre somewhere on Mersyside with real people answering the phone who actually know what they're talking about and we now use them for our ISP too. For example, "fixed IP sir? No problem" rather than "what's an IP address? Oh, I don't know about that, I'll have to pass you on to someone else".
Re: Related issue?
I hope you took a dump on the living room carpet before you walked out of the door for the last time.
I smell a rat...
I bet BT don't make it nearly so easy to mischievously <i>cancel</i> someone else's "premium services"
"The message has to be this: if you care about your privacy,
do not use BT, Virgin or Talk-Talk as your internet provider." - Ross Anderson
It should be obvious by now; BT simply don't care about your privacy *at all*.
Re: "The message has to be this: if you care about your privacy,
Thanks town dweller... could you knock us up a nice new shiny fibre for those of us who dont have any choice but BT.
Re: "The message has to be this: if you care about your privacy,
I live in a city, albeit a smaller one. When I moved into a new build a few years back I had one single option. BT. Even now new lines here are BT only, and there's still no cable services installed either.
It's not just the Data Protection Act
While much focus has been given to BT's need to comply with the Data Protection, of more importance is the Privacy and Electronic Communications Regulations - these require telcos to protect the security of services and data and to report any breaches to the ICO. BT should reflect on this and put in place appropriate measures.
Typical BT, don't care so long as they profit
They make money from these features being ordered, so why should they care?
Nothing has changed from the days when all BT Cellnet asked for was a credit card number + expiry date to top up a PAYG phone, giving rise to the inevitable fraud. If someone didn't question the £30.00 charge on their card, it was all pure profit for IT.
Bruce Schneier's views?
Wonder what Bruce Schneier's views are on this matter, being an avid evangelist for privacy and being the Chief Security Technology Officer at BT.
The Verge is saying they did this and got an order email with the name of the account holder, so BT hasn't really fixed this at all.
...set the "Calling Features" of every MP's phone to forward to the CTO for BT (http://www.productsandservices.bt.com/consumerProducts/displayTopic.do?topicId=28921).
Not only will the MPs be pissed that BT allow this to happen (probably have a public enquiry) BT will certainly realise that the problem is slightly more serious than they think. Indeed there appears to be no bar to stop me changing any customers services while sittting here at my laptop in the south of France.
Get a grip
Putting the name in is not great, but it is hardly the end of the world. It is available in the same public place where you can get the telephone number and post code. The telephone directory!
You can add caller redirect but you can't switch it on or set up the number to redirect to, you need access to the phone to do that.
They want to make money so they make ordering as easy as possible. If someone mistakenly orders ( not likely to get both items wrong and matching) or maliciously you get an order confirmation so can go in and cancel. I would assume if this happened alot the cost of dealing with the calls to cancel would make then change the system.
Hardly a gaping hole!
Re: Get a grip
Not a gaping hole? Really? Does everyone use online billing for BT? No, no they don't. Where are BT magically going to send this confirmation email if they don't have an email address for the account holder?
Did you even take the time to think this through at all?
I wonder if I changed the settings on your mother / grandmother's line just for "a bit of a laugh" you'd change your mind. I know mine wouldn't know until the paper bill plopped through the letterbox up to 3 months later.
Wot? No Hash?
I have not long finished speaking to a mate on the phone. He has just requested an upgrade for his business broadband. In one of the follow-up emails he received was the plain text password that he should be using for his BT business account and BT Wi-Fi. Sending plain text passwords in emails is bad enough even if they are a new, randomly generated password that is hashed in some database after dispatching the email.
However, the password quoted was one that he assigned himself (by changing the default password originally provided) some time ago. So it's pretty darned obvious that BT are storing at least some passwords using symmetric encryption, or worse still, plain text.
Not so much a technical security issue but more perhaps a DPA one is the fact that with an order ID and potcode one can retrieve his full name, primary email address, BT network user id and other assorted address, email and account/order information, as held by BT. Not exactly earth shattering I grant you, but a somewhat lacking data handling policy nonetheless.
"with an order ID and potcode"
Luckily, I'm with VirginMedia...
and everyone knows that as a current VirginMedia customer, it's almost impossible to order any additional services via their website.....