Just yesterday we had written about a flaw in Airtel’s online recharge portal which exposes customers recharge details for a week’s duration. Today we learnt about one more issue - this time with one of Airtel’s IVR system. This loophole allows any Indian mobile user (any operator’s subscriber) to access any Airtel customer’s call/SMS/MMS records, VAS deductions, internet usage details, special five details (friends and family), balance, plan validity and what not?! We have decided not to include the problematic IVR number in the larger interest of Airtel consumers. It must not be difficult for Airtel to figure out the number! The fact that this number is toll-free makes it possible for anyone to check any Airtel customer’s private details for free.
What’s the issue?
You need to reach this toll free number from a non-Airtel number. After choosing the language it asks for an Airtel mobile number. If you dial the number from an Airtel number this option is not provided effectively ruling out your chance of checking someone’s call details. The number provides us the option to check a host of information of mobile, fixed line, digital TV and Airtel Money services. We have limited our study to prepaid mobile services as Airtel happens to be a service provider with majority market share in this segment.
I using my BSNL mobile number (with necessary permissions) checked a teammate’s call history, validity and balance details. In a little over six minutes I had all the necessary handy information which is a major privacy breach for any Airtel customer -
- Call details including the cost of call, called number, date and time of call
- Prepaid balance and validity of the Airtel mobile number
I could retrieve all other information like his Special five details but chose not to.
Do you still find it hard to believe this? If yes, here is a recording of the IVR:
[soundcloud url="https://api.soundcloud.com/tracks/131456082" params="color=ff5500&auto_play=false&show_artwork=true" width="100%" height="166" iframe="true" /]
In the case of postpaid users the IVR exposes amount due, last few payment details etc. This is not desirable either.
We tested the issue with the permission of our twitter followers:
- For Postpaid: @tuhinmehta and our very own @srikapardhi (all other postpaid users are also widely impacted)
- For Prepaid: @savyaswaroop and @hari4u (all other prepaid users are adversely impacted)
Our take
We fail to understand why a reputed Indian operator like Airtel are so lax when providing access to account information through IVR. Are these design decisions made by Airtel or some other vendor to whom services are outsourced to?
To get someone’s mobile number blocked, this information is very much sufficient - last five call details, balance and validity. With impersonation being used to commit banking frauds by obtaining duplicate SIM cards we want Airtel or any other operator to be very careful when it comes to protecting customer data.
Finally, hearty thanks to P. Mallikarjun for the tip. Your tip would certainly be appreciated by all Airtel customers.
Update 23:00 hrs IST (26 Jan 2014)
We had emailed Airtel personnel about this issue at 21:00 hrs today and at around 22:30 hrs the issue was fixed. Pretty quick we must say. Although we didn't receive an official update, we noticed that the issue had been fixed. The faulty IVR was 1800-103-1111 (earlier users were greeted for Airtel Money, now Airtel MNP greeting is played).