I had a phone call this morning from a woman claiming to be BT, spouting random stuff about people using my Internet connection without my knowledge because of random IP Address detection. Now, coming from the IT world I knew that this was nonsense and a scam (although it is important to note that a lot of people wouldn't). But I continued to stay on the call and played along a little to see what would happen.
They said they wanted to verify my details and would send me a code to my mobile and could I just confirm the numbers back to them for security purposes. They quoted back to me the 'last few digits' of my mobile number.
Here is where the problems start. The code was sent to my mobile and looks like it came from BT. And worse still, BT themselves do in fact do this as part of their security process. So, it looks like it is legitimate. Of course, I did not give them the code and claimed that was not my mobile number, to which she proclaimed she knew I wasn't the account holder, and when I told her that I knew she wasn't BT, she got into a back and forth about how she knew I wasn't the account holder… very 'professional'.
Anyway, this got me thinking, how had this come about? How did she have my phone number, mobile number, and was able to spoof a BT text message (that joined the flow of previous messages from BT in my Messages App, so I was pretty sure it was in fact spoofed well). After a quick search I found someone on this community (and forgive me, but I didn't take note of the thread) that this actually comes from the 'Forgotten Password' function on the BT login.
So, the scammer had just gotten hold my BT ID and clicked on Forgotten Password, and it sends a code to my mobile phone (quoting the last few digits to the scammer on the webpage so they know to use that).
Right, but how did they get my BT ID?
Turns out, if you go through the process, you can also claim that you have forgotten your BT ID, and instead can use your home phone number.
So, how clever are these scammers? As it turns out, not very clever at all. It isn't that sophisticated.
All they need is a database of BT Phone numbers, then they just spend all day on the 'Forgotten Password' page.
- They phone your BT Phone number
- They claim they are BT
- They click the link to say 'Forgotten Password'
- They quote part of your mobile number back to you to legitimise it
- They ask you for the code that is received
- They log into your account by changing your password, and they're in
This seems 'legit' because BT in fact use the same type of system where they send you a code and ask you to quote it back to them.
2 Factor Authentication at this point becomes a liability, but, when you really boil it down, the true vulnerability here is that they allow you to attempt a login with your BT Phone number, that could be gotten from a Phone Book, and if Ex-Directory, is still sold by so many companies out there looking to try to scam or con you.
If BT STOPPED allowing you to login to change passwords with your BT Phone number, then what do the scammers have?
- They would not have a phone number and a BT ID to even attempt a Forgotten Password
- If they have your BT ID they would not have a phone number to call you on to attempt to get the code from you
- If they have your phone number, they have no BT ID to attempt to use Forgotten Password on
EE currently does not have 2 Factor Authentication, BUT, they also do not allow you to login with a BT Phone Number to reset your password (from what I tried anyway), so even though their login is technically less secure, it is actually MORE secure as there is no way for the scammer to call you, and attempt to login and pretend to be the supplier all at the same time.
So if nothing else, I would urge BT to go to their 'Forgotten Password' section and remove the ability to also 'Forgotten BT ID' and use the BT Phone number instead. It is a huge security flaw and the basis for many scams - because to honest, if I wanted to, I could go and place a call to a random number in just the same way, do the same things, and gain access to someone's BT account… and all I would need would be a phone number and zero morals.
Literally just got off the phone with another one, both came from fake 0161 numbers. Had them on the phone for 7 minutes giving them fake verification codes. In the end I asked if they are using the 'Forgotten Password' option and they hung up.
That's really helpful thank you. What can we do to tighten up our security though?
I'm having a hell of an evening trying to sort out scammers on my BT thing. I'd leave BT in the bat of an eyelid but i live in the middle of nowhere and don't have any choice.