MTN South Africa has shut down its e-billing portal until security concerns have been addressed, the mobile operator said on Friday.
“This has been implemented with immediate effect and customers will receive their bills via e-mail as an interim measure,” a spokesman said.
The decision to shut down the e-billing website follows a report published by TechCentral on Thursday, which revealed that lack of proper security meant anyone could randomly access the confidential details of the operator’s customers, including their itemised billing information.
The problem was brought to TechCentral’s attention by an alert reader, who asked to remain anonymous.
The reader identified two main problems. The first was that the e-billing platform was not encrypted. This was quickly fixed by MTN after TechCentral brought the issue to its attention.
The second problem was that no login or confirmation of identity was required — just a simple hash string was appended to the e-billing website address — meaning anyone could guess the string and potentially bring up user information at random.
As a temporary fix, MTN had planned to increase the length of the hash string dramatically to make it much more difficult to make random guesses and in that way get access to customer information. This would be ahead of a permanent solution involving the implementation of a username and password login system.
The company has now decided to take the system offline until a secure solution has been developed.
TechCentral’s reader had warned that MTN was in breach of its own privacy policy, which states that “access to your personal information on MTN websites, mobile applications, products and services will be password protected”.
“Since the documents available online include addresses, cellphone numbers and most importantly itemised billing, this is potentially a major breach of their customers’ privacy and confidentiality,” he said. — (c) 2015 NewsCentral Media
