Airtel Prepaid Mobile Customers – forget about your Privacy! Your Call Details are at Risk and is Freely Available to Anyone

Airtel Call HistoryJust yesterday we had written about a flaw in Airtel’s online recharge portal which exposes customers recharge details for a week’s duration. Today we learnt about one more issue – this time with one of Airtel’s IVR system. This loophole allows any Indian mobile user (any operator’s subscriber) to access any Airtel customer’s call/SMS/MMS records, VAS deductions, internet usage details, special five details (friends and family), balance, plan validity and what not?! We have decided not to include the problematic IVR number in the larger interest of Airtel consumers. It must not be difficult for Airtel to figure out the number! The fact that this number is toll-free makes it possible for anyone to check any Airtel customer’s private details for free.

What’s the issue?

You need to reach this toll free number from a non-Airtel number. After choosing the language it asks for an Airtel mobile number. If you dial the number from an Airtel number this option is not provided effectively ruling out your chance of checking someone’s call details. The number provides us the option to check a host of information of mobile, fixed line, digital TV and Airtel Money services. We have limited our study to prepaid mobile services as Airtel happens to be a service provider with majority market share in this segment.

I using my BSNL mobile number (with necessary permissions) checked a teammate’s call history, validity and balance details. In a little over six minutes I had all the necessary handy information which is a major privacy breach for any Airtel customer  -

  1. Call details including the cost of call, called number, date and time of call
  2. Prepaid balance and validity of the Airtel mobile number

I could retrieve all other information like his Special five details but chose not to.

Do you still find it hard to believe this? If yes, here is a recording of the IVR:

In the case of postpaid users the IVR exposes amount due, last few payment details etc. This is not desirable either.

We tested the issue with the permission of our twitter followers:

  1. For Postpaid: @tuhinmehta and our very own @srikapardhi (all other postpaid users are also widely impacted)
  2. For Prepaid: @savyaswaroop and @hari4u (all other prepaid users are adversely impacted)

Our take

We fail to understand why a reputed Indian operator like Airtel are so lax when providing access to account information through IVR. Are these design decisions made by Airtel or some other vendor to whom services are outsourced to?

To get someone’s mobile number blocked, this information is very much sufficient – last five call details, balance and validity. With impersonation being used to commit banking frauds by obtaining duplicate SIM cards we want Airtel or any other operator to be very careful when it comes to protecting customer data.

Finally, hearty thanks to P. Mallikarjun for the tip. Your tip would certainly be appreciated by all Airtel customers.

Update 23:00 hrs IST (26 Jan 2014)

We had emailed Airtel personnel about this issue at 21:00 hrs today and at around 22:30 hrs the issue was fixed. Pretty quick we must say. Although we didn’t receive an official update, we noticed that the issue had been fixed. The faulty IVR was 1800-103-1111 (earlier users were greeted for Airtel Money, now Airtel MNP greeting is played).

Leave a Comment

Your email address will not be published. Required fields are marked *

Current ye@r *

  • chand May 2, 2014 3:33 pm

    I need ma b.f s col detail i got nws tht he z cheating on me pls hlp,me…:’(

    • Vineet May 26, 2014 12:54 pm

      same is happng with me.. my gf cheated on me nd now she is planning to marry some other guy :(
      If get any clue abt how to get details then tell me.. my numbr is 80fivenine20fourone05.
      Its urgent as i hve very less time..

      • Srik June 9, 2014 3:40 pm

        Open an online airtel account by providing her mobile number.

        Then immediatly, one temporary password of her airtel account will be sent to her mobile. you have to get hold of this temporary password. like wise, you can access all the call details for the past 6 months.

  • hemant kumar February 27, 2014 11:08 pm

    Dear sir
    Hardly requet sir my sim is bloked and vary imsrjency numner feeded my sim plz sageson a my 6 month call detail

  • kaushik February 1, 2014 11:01 am

    my goodness! i am airtel customer. i am fearing tht any one of my frnds didnt steal my infos. bcz they are hackers!

  • DUANE January 31, 2014 12:45 am

    Try 1800 103 1111 and see

  • S.Sudhakar January 30, 2014 9:21 pm

    [Moderated]

    telecomtalk itself is tracking its website usage. Then what qualities does the telecomtalk have to comment about the mobile service providers?.

    Think…….

    • Tarun January 30, 2014 9:55 pm

      Sudhakar,

      Let me make some things clear if you are a internet user for long you must be aware that every website which is hosted on server a keeps a log, that log is used to determine if someone is trying to misuse the server so every hit the website gets is logged in the era of DDOS and Internet phishing its required for all websites to keep a log.

      Use your Common sense what is the story about ? The story says airtel is disclosing customers CALL HISTORY which is meant to be for private use did we ever mention Airtel is tracking customers or anything ?

      Let me give you an example :

      You own a shop and has a CCTV camera , the cctv records all activity of your shop which is meant only for your private use like what all stuffs you have in your shop your customers things you stock up in shop. But your CCTV Camera which records all your data has a bug and the data can be viewed by your rival shop or anyone in the world that is what has hpnd in Aitel case .

      so Just dont create or overhype things out of box . Hope this will make things clear .

    • Chethan S January 30, 2014 10:17 pm

      Hi Sudhakar, it’s pretty normal for websites around the web to track/monitor your visits. It is normally done to improve user experience – like suggest relevant content, serve relevant ads etc. I am not sure if you are ignorant of these facts but please try to understand that the world of internet works that way. If you are indeed not aware of these facts, please try learning about basic things like cookies etc. As Tarun rightly commented call history is supposed to be private and after making this post Airtel has made it private.

  • Raghu January 29, 2014 2:44 am

    Thanks to TT team for taking up the issue with Airtel

  • Sachin Pimple January 27, 2014 9:05 pm

    Thanks to P. Mallikarjun and Chethan S.
    Keep it up.

  • manu January 27, 2014 7:20 pm

    telecom talk appreciation is increasing like anything considering the outsiders not understand the acutal facts……

    good…. but dont repeat plz…

  • Abhijit January 27, 2014 12:51 pm

    BSNL online recharge portal is still faulty….

  • Mithilesh January 27, 2014 12:46 pm

    Really eye opener. Lesson fr every telecom operator to opt basic security so that personal information will not exposed to the world.

  • Jagan T January 27, 2014 11:19 am

    Appreciate Telecom Talk and team for this wonderful effort.

  • RAJ January 27, 2014 10:37 am

    Hello,

    Is it possible to get SMS details for any Mobile number officially.?
    Like the number of SMS sent and received and the “CONTENT”.
    Like in case of SIM or phone lost by person trying to retrieve SMS data.

    Can some one reading this Clarify to me.?

  • Amit T January 27, 2014 10:21 am

    appreciate your efforts Telecomtalk.
    though I am not Airtel customer but this is a good lesson to all other service providers.
    Its really bad that for making things quick and easy for customers they are forgetting to provide basic security.

  • Arshad January 27, 2014 12:03 am

    Woo nice work telecomtalk great.well i think it will be only save by signing up to official carrier site and check our account details.

  • Ivan January 26, 2014 10:09 pm

    Oh my god!!! I mean this is so so dangerous it is high time govt put very strict regulations for things like this else airtel and the other service providers will do this again you see this may be an error from their side but hey fine these guys and they will be careful next time.

  • raj January 26, 2014 8:24 pm

    Airtel sends gprs settings everytime we change the sim slot.It’s highly irritating.I use internet packs of airtel & aircel.Since all phones support only 3g in sim1, I will inter change them as required.

    Why don’t airtel send them only when customer request through IVR just like other operators.Spoke to cc about this one week back,till now no resolution.

  • S.Sudhakar January 26, 2014 8:18 pm

    This is not so in Tamilnadu circle.

  • VB January 26, 2014 8:01 pm

    Don worry guys i guess that number is down now!!!

  • Ganesh Srinivasan January 26, 2014 7:55 pm

    OMG! It is very scary

    Can you write to them so that it gets plugged

    • Chethan S January 26, 2014 10:11 pm

      We have already written to them and they are looking into the issue.

  • Adithya Vardhan January 26, 2014 7:36 pm

    I think now the problem has been solved

  • SUVAJIT January 26, 2014 7:24 pm

    Dear TT,

    In Reliance recharge portal you can easily get customer’s title by giving only mobile no by which you can confirm his full name too.

    Thanks

    • umapathi January 26, 2014 7:31 pm

      if the customer had registered in the website then u can get the name if not you cant get the details

      • SUVAJIT January 26, 2014 7:44 pm

        Dear umapathi,

        I think you are telling about account service & that is different. I am telling about prepaid recharge portal. Try as below:

        Goto Reliance mobile: http://www.rcom.co.in/Rcom/personal/home/index.html
        then Instant Recharge
        then give any Reliance subscriber number
        then press “Continue” button
        & you can get his surname easily….

        No need to register yourself or give your email address….
        Anybody pls confirm if I am telling wrong….

        Thanks

        • SUVAJIT January 26, 2014 7:47 pm

          Even if you try to recharge his/her number with any small amount recharge (say Rs 10) you can get his full name too in the receipt copy.

        • S.Sudhakar January 26, 2014 9:47 pm

          This facility was once useful to me when I came to know after recharging that the number which I have bought is not in my name and the pre activated SIM is with me !!!. I complained in pgportal and it solved after several shoutings.

          • pradeep January 27, 2014 3:08 pm

            same me to came to know that my prepaid connection was not in my name inspite of taking the sim from reliance outlet. I complaint to all higher official in reliance but they ask to to change to postpaid so that only address can be changed. changing of address is not avail in prepaid and so finally got irritated and complaining to pgportal…
            finally i got changed after 45 days of my complaint :(

        • Shuvam January 27, 2014 7:23 am

          This piece of info is confirmed and I use it extensively to find out the identity of unknown reliance numbers when truecaller fails. Now its a security breach or not, its a boon for me at least.

  • Hajaiy Nandha January 26, 2014 7:00 pm

    Superb article by ttalk keep it up