BT website lets anyone upgrade your phone package
By Barry Collins
Posted on 27 Nov 2012 at 09:16
BT's website allows anyone to add paid-for extras to your phone package, using nothing more than your phone number and postcode.
The flaw, discovered by a reader of The Register, allows landline tariffs to be upgraded with various call packages and features such as caller display, without having to once enter a login or password.
Instead, all the user has to enter is the landline number and postcode, which is freely available from sources such as BT's own Phone Book site. It raises the possibility that costly extras could be added to customers' accounts without their knowledge.
BT's Unlimited Anytime Plus costs an extra £8 per month, for example, while adding five calling features can add another £8.40 per month to customers' bills.
BT was unable to comment to PC Pro at the time of publication, but a spokesperson for the company told The Register it wasn't a security hole. "Different levels of security apply to different products," the spokesman said. "Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode."
A further bug, which displayed the name of the primary account holder at the end of the account upgrade process, has been fixed.
Makes sense... I just had the joy of cancelling a call package on our ADSL lines that no-one here authorised... even then it took BT a while to understand that despite it being good for other clients it was pointless for us (we don't have phones on our adsl lines) and would end up costing us alot more due to the minimum spend requirement in the package contract.
They couldn't even tell me who authorised it.
By JmLing on 27 Nov 2012
Ok so it's not a security hole, it's a hole they dug themselves into.
Seriously, who came up with this because right now it sounds like the plot from a sitcom, not a major services provider.
By tech3475 on 27 Nov 2012
Usual BT practise
I've had calls made to my home address from BT. They ask to speak to the bill payer but if not there anybody will do. When I got the paperwork to find I'd been put on this restricted tariff (one of those that automatically adds 12 months to your account) it was too late to cancel. A few stern words to BT soon got it revoked but the practise stinks.
By gogoguy on 27 Nov 2012
As the advert (nearly) goes.. (not for BT)
I don't have a BT line. Can I have an upgrade?
I would hope not.
By BornOnTheCusp on 27 Nov 2012
Not sure what's more shocking
The security hole exists in the first place, or that BT doesn't consider it a security hole.
If somebody is able to genuinely order something online, then they are able to login with a password to do so - the people who could only enter a postcode and phone number wouldn't choose to genuinely upgrade their account online anyway.
By halsteadk on 29 Nov 2012
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords