cancel
Showing results for 
Search instead for 
Did you mean: 

Security flaws in BT websites

Midnight_Caller
Rising Star
Posts: 4,143
Thanks: 7
Fixes: 1
Registered: 15-04-2007

Security flaws in BT websites

Hi All
Just seen this:
[quote="Bitterwallet reader exposes security flaw in BT website"]
A security flaw on BT’s website allows anyone to assume the identity of a BT customer, and have them charged hundreds of pounds. Bitterwallet reader Ray has sent us details of the steps required to view any customer’s current BT package and register an online account in their name. From there, a person is able to set up new packages for the unsuspecting customer – including one-off charges for a year’s line rental.

News Story on:


Thanks to others for spotting this. If you have a BT account for phone or broadband, check your bill carefully for services you didn't order. All that is needed for someone else to mess about with the online account and order stuff on your account, which BT will not further confirm in any way, is a phone number and postcode which match. How many individuals do you know, who have both your phone number and postcode?
From BT:
Quote
We take your privacy very seriously

Oh no you don't
It hasn't surfaced on the BT Community forums.
Meanwhile on BT Community forum:
[quote="THE ""MY BT" LOGIN PAGE IS NOT SECURE? (NOT ENCRYPTED)"]
By nomegustamucho
On: 13-11-2010 at 03:00
Er, I just noticed that the login page is not encrypted (https). Why?
see and note http only
http://www.bt.com/appsyouraccount/public/index.do
EXPLETIVE DELETED.  Do NOT login in from WiFi  hot spots etc.
I do NOT believe it!
BTW I am using firefox on windows XP.
Actually this forum page is not encrypted either. I am about to check if the forum login is !
Update: NO IT ISN'T DOH!

All of this is bad to say the least. 
Do not use BT Community forum or BT web site with via a wifi hotspot - like BTOpenzone.
3 REPLIES
magnetism2772
Grafter
Posts: 983
Registered: 06-06-2010

Re: Security flaws in BT websites

gee whiz
there is no  security @ BT 
alanf
Aspiring Pro
Posts: 1,931
Thanks: 77
Fixes: 1
Registered: 17-10-2007

Re: Security flaws in BT websites

If I recall correctly BT used to require the number of the most recent bill as additional security.
Community Veteran
Posts: 6,280
Thanks: 444
Fixes: 40
Registered: 30-07-2007

Re: Security flaws in BT websites

IIRC you needed the BT Account number ( not the phone number ) to setup an online account.