User comments on ISPs
  >> BT Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User Oliver341
(knowledge is power) Sat 06-Jul-13 10:24:21
Print Post

Call plan and features options - no security


[link to this post]
 
Not strictly broadband related, but...

does anyone feel BT's "security" for modifying calling plans and calling features is woefully inadequate?

http://www.productsandservices.bt.com/consumerProduc...

http://www.productsandservices.bt.com/consumerProduc...

Phone number and postcode aren't exactly hard to find, many of them are in the phone book after all, and you may also know the phone number and postcode of people you don't like very much, or you might just do it to random people for the hell of it. Some people are crazy like that.

So the extent of this "security" is a tick box saying "I confirm I am the account holder" which is frankly laughable.

Rectifying an unauthorised change in calling plan or features is a minor inconvenience for the account holder at the very least, quite possibly involving refund requests and the loss of legacy call packages. People do stuff online just because they can, you have to assume that.

It seems to me that this order system was introduced in a time before "My BT" came into existence, so crazy ideas like passwords were never introduced. About time, BT?

Oliver.
Standard User RobertoS
(sensei) Sat 06-Jul-13 11:10:12
Print Post

Re: Call plan and features options - no security


[re: Oliver341] [link to this post]
 
I added a calling feature yesteday.

I'm sure it needed me to sign into my account before I could tick that box. But I agree the box itself is just idiotic.

My broadband basic info/help site - www.robertos.me.uk | Domains,website and mail hosting - Tsohost.
Connection - Plusnet UnLim Fibre (FTTC). Sync ~ 53.4/16.8Mbps @ 600m. - BQM

"Where talent is a dwarf, self-esteem is a giant." - Jean-Antoine Petit-Senn.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Allergy information: This post was manufactured in an environment where nuts are present. It may include traces of understatement, litotes and humour.
Standard User Oliver341
(knowledge is power) Sat 06-Jul-13 11:26:20
Print Post

Re: Call plan and features options - no security


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

Oliver.


Register (or login) on our website and you will not see this ad.

Standard User yarwell
(sensei) Sat 06-Jul-13 11:31:45
Print Post

Re: Call plan and features options - no security


[re: Oliver341] [link to this post]
 
In reply to a post by Oliver341:
I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.
but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

--

Phil

MaxDSL - goes as fast as it can and doesn't read the line checker first.

MaxDSL diagnostics
Standard User Oliver341
(knowledge is power) Sat 06-Jul-13 11:36:59
Print Post

Re: Call plan and features options - no security


[re: yarwell] [link to this post]
 
In reply to a post by yarwell:
but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

No, the risk is not limited. I put in a friend's telephone number and postcode and saw what call plan she was on, along with radio checkboxes for other packages and a "next" button. It's a big security hole, good and simple.

Oliver.
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 06-Jul-13 14:09:02
Print Post

Re: Call plan and features options - no security


[re: Oliver341] [link to this post]
 
I agree! I have always done/viewed these options while logged into my BT a/c. I never knew you could get at them without any logging in. But if you then proceed with any changes does it then ask you to identify yourself, perhaps by asking for the a/c # which is not publicly available?

Is there any DPA ramifications, as it reveals personal info. of products taken and prices paid?

Just looked at a friend's options. How do I tell him he is paying £3.30 pm unnecessarily for Caller Display, w/out being accused of snooping? grin

EDIT: I've just noticed that even if BT plug this free-standing unauthenticated hole you can still get at anybody else's options while you are logged into your own My BT a/c.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC

Edited by XRaySpeX (Sat 06-Jul-13 14:30:21)

Standard User Chrysalis
(legend) Sat 06-Jul-13 14:30:28
Print Post

Re: Call plan and features options - no security


[re: Oliver341] [link to this post]
 
In reply to a post by Oliver341:
In reply to a post by RobertoS:
I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.


how did you find that url?

I cant find a way to get to it from the home page, I had to login to change mine.

Also what happens after you submit, does it ask for user/pass or just commit it?

BT Infinity 2 Since Dec 2012
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 06-Jul-13 15:11:47
Print Post

Re: Call plan and features options - no security


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
how did you find that url?

I can't find a way to get to it from the home page, I had to login to change mine.
W/out logging in: BT Home / Hover over My BT at top / My Phone / Change my Calling Plan (or Calling Features).

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User Oliver341
(knowledge is power) Sat 06-Jul-13 22:16:36
Print Post

Re: Call plan and features options - no security


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
Also what happens after you submit, does it ask for user/pass or just commit it?

On an account I was authorised to make changes to, the telephone number and postcode were the only pieces of information required to change the calling plan or calling features. The order process requires no further pieces of identification before the order is completed. Since most options are billed to the next regular bill, no payment details need to be entered either (with the possible exception of line rental saver if selected).

Oliver.
Standard User Oliver341
(knowledge is power) Sat 06-Jul-13 22:24:38
Print Post

Re: Call plan and features options - no security


[re: XRaySpeX] [link to this post]
 
Just found an old reg article about it: http://www.theregister.co.uk/2012/11/27/bt_phone_cal...

the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account

Absolutely incredible really.

Oliver.
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to