BT website lets anyone upgrade your phone package
By Barry Collins
Posted on 27 Nov 2012 at 09:16
BT's website allows anyone to add paid-for extras to your phone package, using nothing more than your phone number and postcode.
The flaw, discovered by a reader of The Register, allows landline tariffs to be upgraded with various call packages and features such as caller display, without having to once enter a login or password.
Instead, all the user has to enter is the landline number and postcode, which is freely available from sources such as BT's own Phone Book site. It raises the possibility that costly extras could be added to customers' accounts without their knowledge.
BT's Unlimited Anytime Plus costs an extra £8 per month, for example, while adding five calling features can add another £8.40 per month to customers' bills.
BT was unable to comment to PC Pro at the time of publication, but a spokesperson for the company told The Register it wasn't a security hole. "Different levels of security apply to different products," the spokesman said. "Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode."
A further bug, which displayed the name of the primary account holder at the end of the account upgrade process, has been fixed.
Explains why....
Makes sense... I just had the joy of cancelling a call package on our ADSL lines that no-one here authorised... even then it took BT a while to understand that despite it being good for other clients it was pointless for us (we don't have phones on our adsl lines) and would end up costing us alot more due to the minimum spend requirement in the package contract.
They couldn't even tell me who authorised it.
By JmLing on 27 Nov 2012 
Ok so it's not a security hole, it's a hole they dug themselves into.
Seriously, who came up with this because right now it sounds like the plot from a sitcom, not a major services provider.
By tech3475 on 27 Nov 2012
Usual BT practise
I've had calls made to my home address from BT. They ask to speak to the bill payer but if not there anybody will do. When I got the paperwork to find I'd been put on this restricted tariff (one of those that automatically adds 12 months to your account) it was too late to cancel. A few stern words to BT soon got it revoked but the practise stinks.
By gogoguy on 27 Nov 2012
As the advert (nearly) goes.. (not for BT)
I don't have a BT line. Can I have an upgrade?
I would hope not.
By BornOnTheCusp on 27 Nov 2012
Not sure what's more shocking
The security hole exists in the first place, or that BT doesn't consider it a security hole.
If somebody is able to genuinely order something online, then they are able to login with a password to do so - the people who could only enter a postcode and phone number wouldn't choose to genuinely upgrade their account online anyway.
By halsteadk on 29 Nov 2012
advertisement
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software
advertisement
