BT website allows anyone to add services to an account with a phone number and postcode

BT Broadband Logo Building

A security flaw allowing anyone armed with your phone number and correct UK postcode to add services to your BT account has been spotted by The Register. The site showed how easy it was to add additional phone packages to a user's account, but from our testing things may be even worse than initially thought. Using a friend's postal code and phone number — details that are often discoverable through directory enquiries — we were able to add BT Vision, the company's pay TV service, at a one-off cost of £49.00 (added directly to the customer's monthly bill) and an additional monthly fee of £12.50 to his account. Worse still, we used a throwaway email address to order the additional services, meaning he wasn't notified of his apparent purchase through his account email address.


We also received a follow-up email containing our friend's name and address, along with an order tracking number and details of payment. Other secure details, such as payment information, were not included. After the customer logged into his account through the BT website, the order for BT Vision was displayed along with a completion date of December 4th. It's also worth mentioning that there seems to be no way to cancel the order through BT's website, although it should be simple enough to arrange via a call to customer services.

BT told The Register that "different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode." It's not clear what exactly BT considers inappropriate, but we'd imagine most customers wouldn't be happy with a phantom order for pay TV. We called BT to discuss the issues, but haven't received a response at the time of publishing.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.