back to article blats small privacy bug, ignores GAPING HOLE

BT has squashed a mild website privacy bug reported by a Reg reader - but the telco has refused to address a related issue that allows anyone to add paid-for features to any BT landline. The latter problem, described by the telco as a "customer convenience", can be exploited using just a property's postcode and phone number to …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Look it up on BT.COM

    "However the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account:"

    The BT online phone directory will give you the number and postcode for anyone that is in its search data.

    Not sure whether the paper directory still lists postcodes in people's entries - the new tiny print format is a sort of obfuscation security.

  2. John Smith 19 Gold badge


    So something like this does *not* need a customer reference number.

    AFAIK anyone talking to BT *without* their ref # get the "This is in breach of our data protection responsibilities" BS.

    1. AbortRetryFail

      Re: WTF

      Exactly correct. All you need is the phone number, the postcode, and you have to tick a checkbox confirming you are the account holder. Apparently this last thing is very important, according to BT, and makes it all ok. :o)

  3. The Alpha Klutz

    the BT website is a monument to functional death

    1. Dan 55 Silver badge

      Unfortunately nobody has yet made a monument to the functional death to every single one in the PR department who came up with that reply.

  4. Danny 14

    just sign up BTs board to all the paid for services. Im sure that will help (that is unless they arent with virgin).

    1. David Gosnell

      That occurred to me, but then I suspect they have everything by default anyway, so won't be affected.

    2. Anonymous Coward
      Anonymous Coward

      You probably need to sign up those outside BT to create a fuss. Perhaps a few cabinet ministers, MPs, police commissioners and Fleet Street journalists.

  5. GettinSadda

    How long

    Before someone from Anonymous or similar starts signing up the whole country to these extras?

    I wouldn't put it past them to use a script to do it automatically!

    That would be illegal, and immoral (but then isn't what BT are doing also illegal and immoral?)

  6. Neil Barnes Silver badge


    My father got his incoming calls silently redirected as part of a banking scam earlier this year. Wonder if this is how they did it?

  7. Martin an gof Silver badge

    Related issue?

    When we moved house three-and-a-bit years ago the person who was buying our old house was able to disconnect our BT line without our permission, perhaps a fortnight before the move, simply by ringing a BT call centre. Quite apart from inconveniencing us it made things difficult with the bank, the solicitors, the removal company and the children's school, all of whom had our landline number as first point of contact. Three or four days later our ISP also cut us off because the line was no longer "live".

    Suffice to say we took the opportunity to move away from BT for our new phoneline, but despite all our protestations and communications with BT and (eventually) the regulator, the consensus was "these things happen, sorry, here's a month's rental back". This incident strikes me as very similar. With just a phone number and a postcode a third party was able to take all sorts of action against a phoneline that isn't theirs.

    Have to say we've had great service from our new phone supplier who seem to have a callcentre somewhere on Mersyside with real people answering the phone who actually know what they're talking about and we now use them for our ISP too. For example, "fixed IP sir? No problem" rather than "what's an IP address? Oh, I don't know about that, I'll have to pass you on to someone else".


    1. frank ly

      Re: Related issue?

      I hope you took a dump on the living room carpet before you walked out of the door for the last time.

  8. Androgynous Crackwhore
    Black Helicopters

    I smell a rat...

    I bet BT don't make it nearly so easy to mischievously <i>cancel</i> someone else's "premium services"

    Big Brother

    "The message has to be this: if you care about your privacy,

    do not use BT, Virgin or Talk-Talk as your internet provider." - Ross Anderson

    It should be obvious by now; BT simply don't care about your privacy *at all*.


    1. Anonymous Coward
      Anonymous Coward

      Re: "The message has to be this: if you care about your privacy,

      Thanks town dweller... could you knock us up a nice new shiny fibre for those of us who dont have any choice but BT.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The message has to be this: if you care about your privacy,

        I live in a city, albeit a smaller one. When I moved into a new build a few years back I had one single option. BT. Even now new lines here are BT only, and there's still no cable services installed either.

  10. Anonymous Coward
    Anonymous Coward

    It's not just the Data Protection Act

    While much focus has been given to BT's need to comply with the Data Protection, of more importance is the Privacy and Electronic Communications Regulations - these require telcos to protect the security of services and data and to report any breaches to the ICO. BT should reflect on this and put in place appropriate measures.

  11. Alan J. Wylie

    Typical BT, don't care so long as they profit

    They make money from these features being ordered, so why should they care?

    Nothing has changed from the days when all BT Cellnet asked for was a credit card number + expiry date to top up a PAYG phone, giving rise to the inevitable fraud. If someone didn't question the £30.00 charge on their card, it was all pure profit for IT.

  12. roshanmani

    Bruce Schneier's views?

    Wonder what Bruce Schneier's views are on this matter, being an avid evangelist for privacy and being the Chief Security Technology Officer at BT.

  13. hokum
    Thumb Down

    The Verge

    The Verge is saying they did this and got an order email with the name of the account holder, so BT hasn't really fixed this at all.

  14. JassMan

    Simple solution

    ...set the "Calling Features" of every MP's phone to forward to the CTO for BT (

    Not only will the MPs be pissed that BT allow this to happen (probably have a public enquiry) BT will certainly realise that the problem is slightly more serious than they think. Indeed there appears to be no bar to stop me changing any customers services while sittting here at my laptop in the south of France.

  15. Anonymous Coward
    Anonymous Coward

    Get a grip

    Putting the name in is not great, but it is hardly the end of the world. It is available in the same public place where you can get the telephone number and post code. The telephone directory!

    You can add caller redirect but you can't switch it on or set up the number to redirect to, you need access to the phone to do that.

    They want to make money so they make ordering as easy as possible. If someone mistakenly orders ( not likely to get both items wrong and matching) or maliciously you get an order confirmation so can go in and cancel. I would assume if this happened alot the cost of dealing with the calls to cancel would make then change the system.

    Hardly a gaping hole!

    1. ScaredyCat

      Re: Get a grip

      Not a gaping hole? Really? Does everyone use online billing for BT? No, no they don't. Where are BT magically going to send this confirmation email if they don't have an email address for the account holder?

      Did you even take the time to think this through at all?

      I wonder if I changed the settings on your mother / grandmother's line just for "a bit of a laugh" you'd change your mind. I know mine wouldn't know until the paper bill plopped through the letterbox up to 3 months later.

  16. Anonymous Coward
    Anonymous Coward

    Wot? No Hash?

    I have not long finished speaking to a mate on the phone. He has just requested an upgrade for his business broadband. In one of the follow-up emails he received was the plain text password that he should be using for his BT business account and BT Wi-Fi. Sending plain text passwords in emails is bad enough even if they are a new, randomly generated password that is hashed in some database after dispatching the email.

    However, the password quoted was one that he assigned himself (by changing the default password originally provided) some time ago. So it's pretty darned obvious that BT are storing at least some passwords using symmetric encryption, or worse still, plain text.

    Not so much a technical security issue but more perhaps a DPA one is the fact that with an order ID and potcode one can retrieve his full name, primary email address, BT network user id and other assorted address, email and account/order information, as held by BT. Not exactly earth shattering I grant you, but a somewhat lacking data handling policy nonetheless.

    1. Anonymous Coward
      Anonymous Coward

      Oops, Errata

      "with an order ID and potcode"

      Potcode? Postcode!

  17. Anonymous Coward
    Anonymous Coward

    Luckily, I'm with VirginMedia...

    and everyone knows that as a current VirginMedia customer, it's almost impossible to order any additional services via their website.....

This topic is closed for new posts.

Other stories you might like