A flaw has been discovered with BT’s website that can allow anyone to upgrade your BT phone package using just your landline number and postcode. A spokesperson for BT said:
Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.
While it’s nice that BT are trying to make it more simple for customers to upgrade their packages, the fact that they are dismissing this issue as a different level of security is very ignorant. What’s stopping a user having their package upgraded by angry relatives, ex partners or just hateful people in general? What come back does the end user have, especially if they fall victim to a malicious person?
However, an additional bug that displayed the name of the primary account holder at the end of the upgrade process has been fixed. But does this alone not suggest to BT there is an issue with the process in general? If they are confident that the person performing the upgrade is the user/subscriber, why hide their name?
Source: PC Pro