BT has been slammed for porous security on its website, after it was discovered that anyone armed with a phone number and a UK postcode could add services to any account held with the landline service provider.
The security flaw, spotted by The Register, means it's easy to add additional phone packages to a user's account, as information like phone numbers and postcodes can be found through directory enquiries.The publication even managed to add BT Vision TV service costing £49.99 using a friend's number, postcode and a throwaway email address.
Astonishingly, BT responded by saying that it believes knowing the phone number and postcode of a property was enough security for adding paid-for options to any account.
"Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode," the firm said in a statement.
However, it did concede that it, "should not have been possible to view the name of the account holder by entering just the phone number and postcode."
It's not the first time that BT has found itself in hot water over lackadaisical security practices. Earlier in the year ITProPortal's own Riyad Emeran suffered a prolonged Internet blackout after a third-party altered his BT account without authorisation or consent. It took the telecoms provider over a month to re-activate his account and get him back online.
Image Credit: Flickr (ell brown)