Orange SIM web system was compromised
A READER CLAIMED that Orange's web system for registering phone SIMs was compromised, and that despite his attempts to report the problem, he was repeatedly told customer service is not "outward facing", and that the Executive Office is "closed".
We walked through the process with the reader on the phone, and there was a definite problem which could be linked to the Firefox browser, as we weren't able to reproduce it on Internet Explorer.
When you buy a SIM card these days, you're referred to an Orange web page which asks you to enter the number. After doing that, the system sends a " secret" text message to your phone containing an eight digit PIN that you're expected to enter into the web page, but in Firefox at least, it's had already filled in the form and you only needed to press "Next".
You then got to complete the registration details with your name, address, date of birth and IMEI, which could then be used with customer services to make changes to the account.
But, said our reader, the system was wide open to abuse. Since a large number of phones are sold pre-activated but not registered, it's unlikely that customers have themselves registered, allowing anyone to take over their account, set a PIN, close it etc.
We tried this ourselves, with Firefox, incrementing telephone numbers, and saw that Orange was sending text messages out, based on the problem.
We agreed to hold the story until Orange had undone the interweb SNAFU, to avoid compromising numerous, er, numbers. It undid the Fireferret problem on Friday.
So Orange managed to stop the problem. But perhaps rather than not being " outward facing", next time it should be facing inwards. Because if it can't give its phone numbers for direct security problems on its web site, it is relying on the goodwill of their buyers and the responsibility of journalists to avoid major SNAFUs.
We were expecting a phone call from Orange all day yesterday, but it never materialised. ยต
* WE HAVE encountered another serious security problem with O2, which is a developing story, so we won't bother you with that one, yet. Convergence hasn't quite arrived and security people don't seem to work on Saturdays. We're not sure telephone firms understand the "web", yet, making things slightly edgy, as money is involved..
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
I talked this year to France Telecom who seem to be leaping in a Convergent direction also. They mentioned that they have had serious problems that weren't able to be solved by their Telephone Engineers, nor by their Informatics Enginerds. They had to implement a special task force of people who understand volts and ohms and people who understand C++ and get these "super team' to respond to the network or security emergency. Allegedly.