Oh dear. It seems that BT has a bit of security hole on its hands. One where people can order different features for your phone line and yes, you would be paying for that until you can undo it.
The Register reported a privacy bug that was highlighted by one of its readers. Part of the problem was solved but a larger issue has yet to be addressed (we checked).
F**k it, we'll do it live!
The initial problem was that phone and calling upgrades can be added with the use of a postcode and telephone number on the packages pages of the BT website. According to the Register, initially logging in this way revealed customers’ full name and account details.
This has now been fixed, but it appears you can still add packages with only those two details to log in.
You’ll note the little tick-box on the page there, “I confirm I am the account holder” – doesn’t really stop much if someone really wants to mess with your accounts. That should be adhered to like minors honestly admitting they are under aged for streaming adult content on the Web, said nobody, ever.
As you can see from the image below. Once you are in, you can see the type of calling plan you have and then choose from a bunch of upgrades.
BT gave the Register a statement amounting to the idea that different levels of security apply to different products.
We gave them a call too and spokesperson told us the following:
It’s only low-level things and it’s there for the convenience of the customer. You can’t divert calls or anything that would cause major problems. It a matter of security and convenience to be in balance.
They also said that if this were to happen to a customer, they would get an email notification about the order which would alert them and they can call up and say “I didn’t order this” and have it changed back. Which doesn’t really sound like security or convenience.
More to the point, BT did not say that they would be changing this as that balance would be more convenient for customers. We’re guessing that customers will decide in the long run how convenient they think this will be if their accounts are updated without their permission.
Image Credit: Joe Raedle / Getty Images