Did Airtel put its Online Recharge Customers at Risk by Revealing Mobile Numbers & Handset Details on the Web?

With ever growing identity theft incidents and economic frauds, mobile and internet users are required to be very vigilant about whatever they do. Whatever be our attempts to safeguard our data what can be done if someone responsible for safe handling of data is not caring enough? This exactly was the situation with Airtel customers for a good part of the time. While telcos like Airtel provide reasonably good online facilities, someone who thinks a little more would be able to harvest decent amount of data about their customers – the mobile handset make, number of recharges done etc.

Mobile Handset Details Revealed

If an user attempts to obtain mobile internet settings from Airtel website (link not attached on purpose), the confirmation screen displays the model of the handset. This is fine if you are doing this for your handset, it is certainly not OK if you are keying in some random phone number.

airtel_handset_make

Trouble factor: Someone just needs to key in a phone number and the captcha code. This makes it possible:

  1. For anyone to spam any Airtel number with innumerous settings messages at any time of the day.

  2. The receiver would be clueless as to why settings are being pushed on a continuous basis and will be left thinking if Airtel has gone nuts 😛

  3. Airtel would not be in a position to find the originating computer easily. Even if they manage to trace the IP, rest of the process would be very lengthy and by then damage would be done

  4. There is also a remote possibility of hi-tech mobile thieves using this method to identify their prey once they get a list of mobile numbers in their area.

Check any customers transaction details/mobile number

Airtel’s prepaid recharge website also provides the facility to check transaction details for a week’s period. The site just requires a transaction ID or a prepaid number for checking the details. Making things worse is the absence of any second factor of authentication like OTP. Once a user completes a transaction a transaction ID would be generated. Given the fact these transaction IDs were sequential i.e., the next user anywhere in India would receive the next number as the transaction ID (check the numbers in screenshots), anyone could obtain sufficient information about a user including mobile number, recharge values and hence his/her usage pattern. Even the mode of payment used is displayed.

airtel_transaction_search

First transaction (somewhere in India)

airtel_transaction_status

Our Transaction

transaction_74

Somewhere in India

trans_79

A bit of social engineering like search for the mobile number in Truecaller like website will provide the name and location of the user. This search can further be extended to other social networks to obtain further information.

We had written about this issue to Airtel few days ago, and it appears that they have fixed it now. Readers must note that this issue was open since months, and we can’t think of how many mobile numbers have fallen into wrong hands? Who is to be blamed for this – Airtel or the company who designed the website? Now transaction search requires mobile number, and Airtel sends an OTP to proceed further.

So your data is safe in terms of transactions but the first issue of handset model being displayed is still on.  This design flaw from Airtel has disclosed customer information, usage pattern, mode of payment of categories like Postpaid, fixed line/broadband, digital TV subscribers.

Have you ever received random OTA Settings from Airtel or any other operator?

Update 26 Jan 2014, 11:15 hrs IST

We received an update from Airtel regarding this today:

“At Bharti Airtel, customer satisfaction & feedback has always been of utmost importance. We take these feedback very seriously which has helped us deliver services that are world-class, innovative and affordable making us one of best services brand in the country. We welcome such valuable feedback that helps making our systems and processes more robust.”
airtel spokesperson

Reported By

Leave a Reply

37 Comments on "Did Airtel put its Online Recharge Customers at Risk by Revealing Mobile Numbers & Handset Details on the Web?"

 

Sort by:   newest | oldest
a m
April 22, 2015 9:17 am 9:17 AM

Airtel both prepaid and pospaid mobile online payment or recharge gives error:

Connection Interrupted
The document contains no data.
The network link was interrupted while negotiating a connection.
Please try again.
Try Again

It used to be easy to recharge or pay before, but not since March 2015. Other online payments are going alright, so it cannot be the computer or internet connection.

The cause and solution must be something in the Airtel systems.

sathish
January 31, 2014 2:01 am 2:01 AM

I have a friend of mine who can activate any service of airtel just with the phone number of the person, thank god i don’t use Airtel!

VINOD PANDEY
January 26, 2014 9:38 pm 9:38 PM
Hi, Airtel is one of the big cheater in the Delhi circle, iam activate 3G R.s 655 Data plan per month 3GB at 3G speed after that Unlimited @ 80KBPS through USD via main account balance, before recharging i confirmed (Airtel website, USD , Customer care) then after i activate plan, i have finished 3GB Data in 4 to 5 days after that speed will be according to plan that is 80KBPS Unlimited till plan validity, after 3 to 4 days plan is working upto the mark.,suddenly i saw my internet is connected but iam unable to send & receive… Read more »
VINOD PANDEY
January 26, 2014 10:08 pm 10:08 PM
Airtel is one of the cheater Telecom operator in Delhi circle they sell the Data plan double deal manner if you activate 3G R.s 655 plan they told you getting upto 3 GB in 3G speed after that Speed will be Unlimited @ 80 Kbps till plan validity. before activation i confirmed via (airtel site, USD, Customer care) all is ok ,finally i activate the plan via USD using main balance upto 3GB speed upto the mark and after speed will be 80Kbps according to plan, suddenly i saw that my internet is connected but i unable to Send &… Read more »
wpDiscuz