Did Airtel put its Online Recharge Customers at Risk by Revealing Mobile Numbers & Handset Details on the Web?

By January 25th, 2014 AT 9:57 PM

With ever growing identity theft incidents and economic frauds, mobile and internet users are required to be very vigilant about whatever they do. Whatever be our attempts to safeguard our data what can be done if someone responsible for safe handling of data is not caring enough? This exactly was the situation with Airtel customers for a good part of the time. While telcos like Airtel provide reasonably good online facilities, someone who thinks a little more would be able to harvest decent amount of data about their customers – the mobile handset make, number of recharges done etc.

Mobile Handset Details Revealed

If an user attempts to obtain mobile internet settings from Airtel website (link not attached on purpose), the confirmation screen displays the model of the handset. This is fine if you are doing this for your handset, it is certainly not OK if you are keying in some random phone number.

airtel_handset_make

Trouble factor: Someone just needs to key in a phone number and the captcha code. This makes it possible:

  1. For anyone to spam any Airtel number with innumerous settings messages at any time of the day.

  2. The receiver would be clueless as to why settings are being pushed on a continuous basis and will be left thinking if Airtel has gone nuts 😛

  3. Airtel would not be in a position to find the originating computer easily. Even if they manage to trace the IP, rest of the process would be very lengthy and by then damage would be done

  4. There is also a remote possibility of hi-tech mobile thieves using this method to identify their prey once they get a list of mobile numbers in their area.

Check any customers transaction details/mobile number

Airtel’s prepaid recharge website also provides the facility to check transaction details for a week’s period. The site just requires a transaction ID or a prepaid number for checking the details. Making things worse is the absence of any second factor of authentication like OTP. Once a user completes a transaction a transaction ID would be generated. Given the fact these transaction IDs were sequential i.e., the next user anywhere in India would receive the next number as the transaction ID (check the numbers in screenshots), anyone could obtain sufficient information about a user including mobile number, recharge values and hence his/her usage pattern. Even the mode of payment used is displayed.

airtel_transaction_search

First transaction (somewhere in India)

airtel_transaction_status

Our Transaction

transaction_74

Somewhere in India

trans_79

A bit of social engineering like search for the mobile number in Truecaller like website will provide the name and location of the user. This search can further be extended to other social networks to obtain further information.

We had written about this issue to Airtel few days ago, and it appears that they have fixed it now. Readers must note that this issue was open since months, and we can’t think of how many mobile numbers have fallen into wrong hands? Who is to be blamed for this – Airtel or the company who designed the website? Now transaction search requires mobile number, and Airtel sends an OTP to proceed further.

So your data is safe in terms of transactions but the first issue of handset model being displayed is still on.  This design flaw from Airtel has disclosed customer information, usage pattern, mode of payment of categories like Postpaid, fixed line/broadband, digital TV subscribers.

Have you ever received random OTA Settings from Airtel or any other operator?

Update 26 Jan 2014, 11:15 hrs IST

We received an update from Airtel regarding this today:

“At Bharti Airtel, customer satisfaction & feedback has always been of utmost importance. We take these feedback very seriously which has helped us deliver services that are world-class, innovative and affordable making us one of best services brand in the country. We welcome such valuable feedback that helps making our systems and processes more robust.”
airtel spokesperson

37
Leave a Reply

avatar
Photo and Image Files
 
 
 
15 Comment threads
22 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
21 Comment authors
a msathishRamaVickkyDarshan Malu Recent comment authors
newest oldest most voted
a m
a m

Airtel both prepaid and pospaid mobile online payment or recharge gives error:

Connection Interrupted
The document contains no data.
The network link was interrupted while negotiating a connection.
Please try again.
Try Again

It used to be easy to recharge or pay before, but not since March 2015. Other online payments are going alright, so it cannot be the computer or internet connection.

The cause and solution must be something in the Airtel systems.

sathish
sathish

I have a friend of mine who can activate any service of airtel just with the phone number of the person, thank god i don’t use Airtel!

Recent Posts

Tata Sky Offering Four Set-Top Box Choices to New Subscribers: Which One is Worth the Buck?

If after the implementation of the new tariff regime by the Telecom Regulatory Authority of India (Trai), you decided to...

Samsung Galaxy A80 With 48MP Rotating Camera, Snapdragon 730 Launched in India for Rs 47,990

Samsung has announced another major phone under its A-series in India. The device that we are talking about is the...

Vodafone Emerges as Fastest 4G Network in Delhi-NCR as Verified by Ookla

The availability of the 4G network is not the only competitive edge for the telecom operators, but the quality of...