BT Web security flaw allows anyone to mess about with your account

A vulnerability in BT's payment system makes it possible for anyone to alter an account that doesn't belong to them. While the damage is limited to adding or removing BT services to the line, consumer tips site Bitterwallet, which discovered the flaw, points out that you could cost someone hundreds of pounds by opting to pay up-front for a phone line, or by adding extra services.

The security flaw appears to be of the same ilk as the "Are you 18?" verification systems on various video sites, which are as useful as a chocolate teapot. By ticking "I am the account holder" and supplying the phone number and postcode -- that's right, a postcode, something freely available to anyone online -- you can make changes.

This is different to the regular BT account sign-up, which requires that you provide extra information, such as an account number and address. Which is the minimum security we think is reasonable for something that could cost you money. After all, there's no reason for most people to check their monthly bills for extra options being added by a random third party.

Alarmingly, no one at BT seemed to care when Bitterwallet tried to raise the issue with them, although we don't know what methods the site used to get in touch. Anecdotal evidence from a thread on Hot UK Deals, which is directly connected to Bitterwallet, suggests that one user tried to call BT to lodge a complaint, and was fobbed off with a fake reference code. It's one thing to have a problem with your website security, but it's quite another to not attempt to fix it when notified.

Crave has tested this, to some extent, and it works, although we stopped short of making alterations to anyone's phone line -- and we did know the person whose line it was.

Update 16 November: BT responded to our request for comment, confirming that some changes can be made to accounts by third parties.

"We want to make online account management as easy as possible for customers," a spokesperson told us. "In order to add items to accounts we ask customers for their telephone number and postcode. Customers are automatically notified of any change to their account using previously agreed, preferred contact details via letter or email.

"If a customer who receives a notification believes, for whatever reason, that they have not made any addition to their account, we would investigate and arrange a cancellation if required."

When asked about billing a year in advance to someone's account, the spokesperson told us you'd need to pay by credit card for that particular service. You can, however, make smaller changes without paying on a card.

So there you have it -- it is possible to tamper with accounts, but BT will rectify the problem if you raise it with them. Notifying people by letter or email is fine, but we don't know why the company allows these changes without proper security precautions.

The word "investigate" is ambiguous too -- it implies that the outcome might not always be in your favour. While we take BT at its word when it says it'll reverse any unwanted alterations, anyone who's ever spoken to BT customer support will know they're in for a world of frustration trying to explain the problem to someone in a call centre on the other side of the world.

What do you think? Does BT's response make sense, or make you more angry?