If you’re a smartphone user on British Telecom’s network and you’re using wireless hotspots in public, you’ve opened yourself up to possible fraud and identify theft…and the company has known about this weakness for “years.”

According to an investigative report from The Guardian, volunteers were used in testing that showed holes
in the system. Usernames, passwords and messages from phones using Wi-Fi were accessed by security experts during the testing.

This report comes only a week after it was dsicovered that Apple’s iPhone was tracking users’ whereabouts without them knowing it. The Guardian’s report adds fuel to the fire by indicating that information could be gathered without users knowing it. It also means that such information on users’ smartphones could be accessed even when they weren’t actively browsing the web. If the phone was on, the information was accessible.

British Telecom is the UK’s biggest provider of such “hotspots,” with the number totalling around 2.5 million for its 5 million broadband customers. The company is working on a permanent solution, but there is no indication when it will have one in place.

Professor Peter Sommer, a cyber-security expert at the London School of Economics, was disturbed by the findings.

“This is all very alarming,” he said. “It means that literally millions of people who use Wi-Fi in public could be at risk. If criminals are able to harvest the usernames and passwords of all the websites you visit, they could do significant damage in terms of identity theft and fraud.”

Sommer also offered some sage advice to those with smartphones that want to avoid exposing themselves to such activity.

“The safest route for existing users of mobile phones, particularly if they use BT Fon or Openzone, is to switch off their Wi-Fi when they leave home and only use it on systems they know to be secure – such as at home or at work,” he advised. “Everywhere else you use Wi-Fi – whether in a coffee shop, an airport, a railway station and especially out in the street – you are taking a calculated risk.”