Airtel Prepaid Mobile Customers – forget about your Privacy! Your Call Details are at Risk and is Freely Available to Anyone

By January 26th, 2014 AT 6:54 PM

Airtel Call HistoryJust yesterday we had written about a flaw in Airtel’s online recharge portal which exposes customers recharge details for a week’s duration. Today we learnt about one more issue – this time with one of Airtel’s IVR system. This loophole allows any Indian mobile user (any operator’s subscriber) to access any Airtel customer’s call/SMS/MMS records, VAS deductions, internet usage details, special five details (friends and family), balance, plan validity and what not?! We have decided not to include the problematic IVR number in the larger interest of Airtel consumers. It must not be difficult for Airtel to figure out the number! The fact that this number is toll-free makes it possible for anyone to check any Airtel customer’s private details for free.

What’s the issue?

You need to reach this toll free number from a non-Airtel number. After choosing the language it asks for an Airtel mobile number. If you dial the number from an Airtel number this option is not provided effectively ruling out your chance of checking someone’s call details. The number provides us the option to check a host of information of mobile, fixed line, digital TV and Airtel Money services. We have limited our study to prepaid mobile services as Airtel happens to be a service provider with majority market share in this segment.

I using my BSNL mobile number (with necessary permissions) checked a teammate’s call history, validity and balance details. In a little over six minutes I had all the necessary handy information which is a major privacy breach for any Airtel customer  –

  1. Call details including the cost of call, called number, date and time of call
  2. Prepaid balance and validity of the Airtel mobile number

I could retrieve all other information like his Special five details but chose not to.

Do you still find it hard to believe this? If yes, here is a recording of the IVR:

In the case of postpaid users the IVR exposes amount due, last few payment details etc. This is not desirable either.

We tested the issue with the permission of our twitter followers:

  1. For Postpaid: @tuhinmehta and our very own @srikapardhi (all other postpaid users are also widely impacted)
  2. For Prepaid: @savyaswaroop and @hari4u (all other prepaid users are adversely impacted)

Our take

We fail to understand why a reputed Indian operator like Airtel are so lax when providing access to account information through IVR. Are these design decisions made by Airtel or some other vendor to whom services are outsourced to?

To get someone’s mobile number blocked, this information is very much sufficient – last five call details, balance and validity. With impersonation being used to commit banking frauds by obtaining duplicate SIM cards we want Airtel or any other operator to be very careful when it comes to protecting customer data.

Finally, hearty thanks to P. Mallikarjun for the tip. Your tip would certainly be appreciated by all Airtel customers.

Update 23:00 hrs IST (26 Jan 2014)

We had emailed Airtel personnel about this issue at 21:00 hrs today and at around 22:30 hrs the issue was fixed. Pretty quick we must say. Although we didn’t receive an official update, we noticed that the issue had been fixed. The faulty IVR was 1800-103-1111 (earlier users were greeted for Airtel Money, now Airtel MNP greeting is played).

44 Comments
newest
oldest most voted
Inline Feedbacks
View all comments

Recent Posts

Trai Issues New Rules for Publishing Tariff Plans by Telcos to Boost Transparency

The Telecom Regulatory Authority of India (Trai) today issued new directions on tariff advertisements and tariff publications for telcos. The...

Amazon Alexa App Will Now Support Hindi on Both iOS and Android

Amazon Alexa is a smart assistant which can make your life a bit easier. You can ask Alexa to do...

OnePlus 8T Launch Rumoured to Happen on October 14

OnePlus 8T launch is reportedly set for October 14, according to a new report surfaced on the web. The launch...