BT vulnerability leaves customers at risk of unexpected charges
A weakness in BT’s online customer account system has left phone customers at risk of seeing unexpected charges on their next bill, or even being locked into a new one-year contract they did not want.

In order to give customers an easy way to control the services on phone accounts – things like call waiting, call diversion, three-way calling, etc. – BT has a portal where you can log in and add or remove services at will, the resulting cost is then reflected on your next bill.

<Screen image>

However, in order to gain access to the secure customer area, all you need to know is someone’s phone number and postcode. That’s it.

If you don’t know the postcode, there’s even a linked postcode checker that allows you to look it up if you know the rest of the address.

Once you’ve ticked the box verifying that you are the account holder (there’s nothing to stop you if you’re not), you’re shown a list of active services and others you can add.

<Screen image>

The first option in the list at the time of writing includes 12 months of free Caller Display with BT Privacy, but also locks you in to a new 12-month contract and starts to charge you for the service from month 13.

Once you’ve selected the services you want to turn on or off, all you need to do is enter any email address on the next page and then you’re whisked to a summary of the order, where all you have to do is hit the ‘Place Order’ button.

<Screen image>

With no direct benefit for any potential ne’er do wells, there’s probably not a lot to worry about in terms of someone having already fiddled with your service settings, but given how lax security hits headlines week after week, it’s surprising that BT lets you change settings with little more than publicly accessible info.

We contacted BT for comment on the flaw, but haven’t yet heard back from the company with a statement.