A security flaw allowing anyone armed with your phone number and correct UK postcode to add services to your BT account has been spotted by The Register. The site showed how easy it was to add additional phone packages to a user's account, but from our testing things may be even worse than initially thought. Using a friend's postal code and phone number — details that are often discoverable through directory enquiries — we were able to add BT Vision, the company's pay TV service, at a one-off cost of £49.00 (added directly to the customer's monthly bill) and an additional monthly fee of £12.50 to his account. Worse still, we used a throwaway email address to order the additional services, meaning he wasn't notified of his apparent purchase through his account email address.
We also received a follow-up email containing our friend's name and address, along with an order tracking number and details of payment. Other secure details, such as payment information, were not included. After the customer logged into his account through the BT website, the order for BT Vision was displayed along with a completion date of December 4th. It's also worth mentioning that there seems to be no way to cancel the order through BT's website, although it should be simple enough to arrange via a call to customer services.
BT told The Register that "different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode." It's not clear what exactly BT considers inappropriate, but we'd imagine most customers wouldn't be happy with a phantom order for pay TV. We called BT to discuss the issues, but haven't received a response at the time of publishing.