BT.com blats small privacy bug, ignores GAPING HOLE BT has squashed a mild website privacy bug reported by a Reg reader - but the telco has refused to address a related issue that allows anyone to add paid-for features to any BT landline. The latter problem, described by the telco as a "customer convenience", can be exploited using just a property's postcode and phone number to …
"However the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account:"
The BT online phone directory will give you the number and postcode for anyone that is in its search data.
Not sure whether the paper directory still lists postcodes in people's entries - the new tiny print format is a sort of obfuscation security.
When we moved house three-and-a-bit years ago the person who was buying our old house was able to disconnect our BT line without our permission, perhaps a fortnight before the move, simply by ringing a BT call centre. Quite apart from inconveniencing us it made things difficult with the bank, the solicitors, the removal company and the children's school, all of whom had our landline number as first point of contact. Three or four days later our ISP also cut us off because the line was no longer "live".
Suffice to say we took the opportunity to move away from BT for our new phoneline, but despite all our protestations and communications with BT and (eventually) the regulator, the consensus was "these things happen, sorry, here's a month's rental back". This incident strikes me as very similar. With just a phone number and a postcode a third party was able to take all sorts of action against a phoneline that isn't theirs.
Have to say we've had great service from our new phone supplier who seem to have a callcentre somewhere on Mersyside with real people answering the phone who actually know what they're talking about and we now use them for our ISP too. For example, "fixed IP sir? No problem" rather than "what's an IP address? Oh, I don't know about that, I'll have to pass you on to someone else".
M.
While much focus has been given to BT's need to comply with the Data Protection, of more importance is the Privacy and Electronic Communications Regulations - these require telcos to protect the security of services and data and to report any breaches to the ICO. BT should reflect on this and put in place appropriate measures.
They make money from these features being ordered, so why should they care?
Nothing has changed from the days when all BT Cellnet asked for was a credit card number + expiry date to top up a PAYG phone, giving rise to the inevitable fraud. If someone didn't question the £30.00 charge on their card, it was all pure profit for IT.
http://www.pardoe.net/cellnet/index.html
...set the "Calling Features" of every MP's phone to forward to the CTO for BT (http://www.productsandservices.bt.com/consumerProducts/displayTopic.do?topicId=28921).
Not only will the MPs be pissed that BT allow this to happen (probably have a public enquiry) BT will certainly realise that the problem is slightly more serious than they think. Indeed there appears to be no bar to stop me changing any customers services while sittting here at my laptop in the south of France.
Putting the name in is not great, but it is hardly the end of the world. It is available in the same public place where you can get the telephone number and post code. The telephone directory!
You can add caller redirect but you can't switch it on or set up the number to redirect to, you need access to the phone to do that.
They want to make money so they make ordering as easy as possible. If someone mistakenly orders ( not likely to get both items wrong and matching) or maliciously you get an order confirmation so can go in and cancel. I would assume if this happened alot the cost of dealing with the calls to cancel would make then change the system.
Hardly a gaping hole!
Not a gaping hole? Really? Does everyone use online billing for BT? No, no they don't. Where are BT magically going to send this confirmation email if they don't have an email address for the account holder?
Did you even take the time to think this through at all?
I wonder if I changed the settings on your mother / grandmother's line just for "a bit of a laugh" you'd change your mind. I know mine wouldn't know until the paper bill plopped through the letterbox up to 3 months later.
I have not long finished speaking to a mate on the phone. He has just requested an upgrade for his business broadband. In one of the follow-up emails he received was the plain text password that he should be using for his BT business account and BT Wi-Fi. Sending plain text passwords in emails is bad enough even if they are a new, randomly generated password that is hashed in some database after dispatching the email.
However, the password quoted was one that he assigned himself (by changing the default password originally provided) some time ago. So it's pretty darned obvious that BT are storing at least some passwords using symmetric encryption, or worse still, plain text.
Not so much a technical security issue but more perhaps a DPA one is the fact that with an order ID and potcode one can retrieve his full name, primary email address, BT network user id and other assorted address, email and account/order information, as held by BT. Not exactly earth shattering I grant you, but a somewhat lacking data handling policy nonetheless.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
