Call plan and features options - no security

Not strictly broadband related, but...

does anyone feel BT's "security" for modifying calling plans and calling features is woefully inadequate?

http://www.productsandservices.bt.com/consumerProduc...

http://www.productsandservices.bt.com/consumerProduc...

Phone number and postcode aren't exactly hard to find, many of them are in the phone book after all, and you may also know the phone number and postcode of people you don't like very much, or you might just do it to random people for the hell of it. Some people are crazy like that.

So the extent of this "security" is a tick box saying "I confirm I am the account holder" which is frankly laughable.

Rectifying an unauthorised change in calling plan or features is a minor inconvenience for the account holder at the very least, quite possibly involving refund requests and the loss of legacy call packages. People do stuff online just because they can, you have to assume that.

It seems to me that this order system was introduced in a time before "My BT" came into existence, so crazy ideas like passwords were never introduced. About time, BT?

I added a calling feature yesteday.

I'm sure it needed me to sign into my account before I could tick that box. But I agree the box itself is just idiotic.

In reply to a post by RobertoS:

I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

In reply to a post by Oliver341:

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

In reply to a post by yarwell:

but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

No, the risk is not limited. I put in a friend's telephone number and postcode and saw what call plan she was on, along with radio checkboxes for other packages and a "next" button. It's a big security hole, good and simple.

I agree! I have always done/viewed these options while logged into my BT a/c. I never knew you could get at them without any logging in. But if you then proceed with any changes does it then ask you to identify yourself, perhaps by asking for the a/c # which is not publicly available?

Is there any DPA ramifications, as it reveals personal info. of products taken and prices paid?

Just looked at a friend's options. How do I tell him he is paying £3.30 pm unnecessarily for Caller Display, w/out being accused of snooping?

EDIT: I've just noticed that even if BT plug this free-standing unauthenticated hole you can still get at anybody else's options while you are logged into your own My BT a/c.

Edited by XRaySpeX (Sat 06-Jul-13 14:30:21)

In reply to a post by Oliver341:

In reply to a post by RobertoS:

I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

how did you find that url?

I cant find a way to get to it from the home page, I had to login to change mine.

Also what happens after you submit, does it ask for user/pass or just commit it?

In reply to a post by Chrysalis:

how did you find that url?

I can't find a way to get to it from the home page, I had to login to change mine.

W/out logging in: BT Home / Hover over My BT at top / My Phone / Change my Calling Plan (or Calling Features).

In reply to a post by Chrysalis:

Also what happens after you submit, does it ask for user/pass or just commit it?

On an account I was authorised to make changes to, the telephone number and postcode were the only pieces of information required to change the calling plan or calling features. The order process requires no further pieces of identification before the order is completed. Since most options are billed to the next regular bill, no payment details need to be entered either (with the possible exception of line rental saver if selected).

Just found an old reg article about it: http://www.theregister.co.uk/2012/11/27/bt_phone_cal...

In reference to www.theregister.co.uk/2012/11/27/bt_phone_call_plan_privacy/:

the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account

Absolutely incredible really.