Manage your BT account insecurely on-line
Two independent sources that wish to remain anonymous have reported to heise Security that BT's online account management service has a serious flaw. Apparently, anyone in possession of basic information available from a printed phone bill can create a profile from which they can inspect and manage your telephone account, even if you already make use of this service yourself.
A profile can be created merely by providing a user name, password and email address. Although the structure of the email address is validated, no check is made (e.g. by an emailed mandatory confirmation code) that the email address is real. However, it gets worse. Having created a profile, it appears that any telephone service account can be added to it merely by entering the phone number and the BT account number, both of which appear on every printed bill. No check is apparently made whether another profile already exists with access to the given account information, or even that the profile user name matches the billing account name.
In fairness to BT, if the email address for an existing profile is changed, a warning email is apparently sent to the previous address indicating a change has been registered. But as no checks seem to be made when either creating the profile or adding accounts to it, it seems perfectly possible for several profiles to have concurrent access to any given telephone account. As call information is premium data for many unauthorised purposes such as telephone cold selling (and indeed potentially for criminal purposes), this would appear to be a serious breach of personal data within the terms of the UK Data Protection Act.
The policy goes on to state: "Please note that your billing account number is a sensitive piece of information, which can be used with your telephone number to find out information about your use of BT´s services. Please be sure to keep this information safe, and do not share it with others." However this get-out clause seems insufficient considering the failure of the on-line system to apply basic checks and controls.
One of heise Security's sources has reported this vulnerability to BT, but has so far received no response.