Call plan and features options - no security

Not strictly broadband related, but...

does anyone feel BT's "security" for modifying calling plans and calling features is woefully inadequate?

http://www.productsandservices.bt.com/consumerProduc...

http://www.productsandservices.bt.com/consumerProduc...

Phone number and postcode aren't exactly hard to find, many of them are in the phone book after all, and you may also know the phone number and postcode of people you don't like very much, or you might just do it to random people for the hell of it. Some people are crazy like that.

So the extent of this "security" is a tick box saying "I confirm I am the account holder" which is frankly laughable.

Rectifying an unauthorised change in calling plan or features is a minor inconvenience for the account holder at the very least, quite possibly involving refund requests and the loss of legacy call packages. People do stuff online just because they can, you have to assume that.

It seems to me that this order system was introduced in a time before "My BT" came into existence, so crazy ideas like passwords were never introduced. About time, BT?

I added a calling feature yesteday.

I'm sure it needed me to sign into my account before I could tick that box. But I agree the box itself is just idiotic.

In reply to a post by RobertoS:

I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

In reply to a post by Oliver341:

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

In reply to a post by yarwell:

but can you go to a clean computer like a library and do the same ? If not the risk is limited to people using a browser after you did and might (?) be resolved by clearing cookies/temp files/ using incognito mode or whatever.

No, the risk is not limited. I put in a friend's telephone number and postcode and saw what call plan she was on, along with radio checkboxes for other packages and a "next" button. It's a big security hole, good and simple.

I agree! I have always done/viewed these options while logged into my BT a/c. I never knew you could get at them without any logging in. But if you then proceed with any changes does it then ask you to identify yourself, perhaps by asking for the a/c # which is not publicly available?

Is there any DPA ramifications, as it reveals personal info. of products taken and prices paid?

Just looked at a friend's options. How do I tell him he is paying £3.30 pm unnecessarily for Caller Display, w/out being accused of snooping?

EDIT: I've just noticed that even if BT plug this free-standing unauthenticated hole you can still get at anybody else's options while you are logged into your own My BT a/c.

Edited by XRaySpeX (Sat 06-Jul-13 14:30:21)

In reply to a post by Oliver341:

In reply to a post by RobertoS:

I'm sure it needed me to sign into my account before I could tick that box.

I can log completely out of BT and proceed with a call plan or features order to checkout without needing to be signed in at all.

how did you find that url?

I cant find a way to get to it from the home page, I had to login to change mine.

Also what happens after you submit, does it ask for user/pass or just commit it?

In reply to a post by Chrysalis:

how did you find that url?

I can't find a way to get to it from the home page, I had to login to change mine.

W/out logging in: BT Home / Hover over My BT at top / My Phone / Change my Calling Plan (or Calling Features).

In reply to a post by Chrysalis:

Also what happens after you submit, does it ask for user/pass or just commit it?

On an account I was authorised to make changes to, the telephone number and postcode were the only pieces of information required to change the calling plan or calling features. The order process requires no further pieces of identification before the order is completed. Since most options are billed to the next regular bill, no payment details need to be entered either (with the possible exception of line rental saver if selected).

Just found an old reg article about it: http://www.theregister.co.uk/2012/11/27/bt_phone_cal...

In reference to www.theregister.co.uk/2012/11/27/bt_phone_call_plan_privacy/:

the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account

Absolutely incredible really.

Also incredible is that when you place such an order it asks for an email address for the order acknowledgement, even if you have logged in and there is one on your account.

That gave me some puzzlement, as I couldn't find any emails to the (valid) address on my account yet I have paperless billing. So I gave a different one and received the email. The implication being you could place an order on someone's account and they wouldn't get notification if you gave your own email address.

Edited by RobertoS (Sat 06-Jul-13 23:55:31)

In reply to a post by RobertoS:

Also incredible is that when you place such an order it asks for an email address for the order acknowledgement, even if you have logged in and there is one on your account.

I have never been asked for an email addy when I am logged in while changing options, but it did send confirmations to my registered addy.

Can't speak for the unauthenticated method as I've not been tempted to change anything under it.

in that case it is indeed a sorry state of affairs.

Truly bad, just put in my Mum and Dads no. and I could change their plans. They are also paying £1.70pm less than me for Unlimited calls, they have been with BTsince 1969 so not sure why its cheaper. Taking Dad to hospital in morning so will check their paper bill to verify, if correct I will be on phone for a cheaper rate, LOL.

In reply to a post by davetel:

They are also paying £1.70pm less than me for Unlimited calls

Until 1 July Unlimited Plan was £5.15 pm; since then £7 pm.

£7 - £5.15 = £1.85. Is that the main reason?

May just be a legacy package. I have E & W included in the line rental.

I was pricing the Calling Plan alone, just as BT advertise it on their site.

I believe you have E&W Calling Plan for £0 pm as should be shown under your My BT / Change My Calling Plan (which we all wot of recently ). It is now £2 pm.