Lack of proper security in MTN’s e-billing platform means anyone can randomly access the confidential details of the operator’s customers, including their itemised billing information.
The problem, which an alert reader brought to TechCentral’s attention last week, is now being plugged by the mobile operator, which has promised to have a temporary solution in place by the end of the week — while it works on a permanent fix it hopes to have ready by the end of the month.
The reader identified two main problems. The first is that the e-billing platform was not encrypted (it used http instead of https). This was quickly fixed by MTN after TechCentral brought the issue to the company’s attention.
The second problem is that no login or confirmation of identity is required — just a simple hash string is appended to the e-billing URL — meaning anyone can guess the string and potentially bring up user information at random.
As a temporary fix, ahead of implementing a proper login system in the coming weeks, MTN plans to increase the length of the hash string dramatically to make it much more difficult to make random guesses and in that way get access to customer information.
It must be noted it is not possible to search for specific users’ data, only to bring up customer billing information at random by guessing hash strings.
Until the permanent fix is applied, TechCentral’s reader believes MTN is in breach of its own privacy policy, which states explicitly that “access to your personal information on MTN websites, mobile applications, products and services will be password protected”.
“Since the documents available online include addresses, cellphone numbers and most importantly itemised billing, this is potentially a major breach of their customers’ privacy and confidentiality,” he says.
“My concern is that as long as you have that hash string, you can access my account. So, if you gain temporary access to my e-mail, you can get that string. And e-mail is hardly the most secure form of communication as it is.”
MTN South Africa chief information officer Neil Tomkinson says the company implemented Secure Sockets Layer encryption on the e-billing website at the weekend and will have increased the size of the user strings by the weekend to make them much more difficult to guess.
An authentication system using passwords should be in place by the end of the month. — © 2015 NewsCentral Media
- See update: MTN shuts down e-billing portal