BT 2 factor authentication turned off, account compromised

caper7

Hi, 

10 days ago I got a text from BT saying I'd changed my BT ID password. I hadn't. 
Frantic call to them. Unable to login to 2 out of 8 email accounts. 
All passwords changed, settings checked. 
I was told their tier 2 team would look into matter as the 2 step authentication hadn't kicked in.
Didn't hear back for 10 days so called them today. 

2 step has been off since June apparently, when I'd contacted them with an email issue. 
They will review the phone conversation etc, but I'm pretty certain that I wasn't informed they were turning it off and I wasn't told to turn it back on. 

The guy today said any hacker would have used a vpn to try and login and bt would have viewed that as suspicious and locked my account. Original guy who spent two and a half hours on the phone with me never mentioned this. So unclear if accounts were accessed or not. They must have a record of locking my account if they did, so matter being referred to their trust and safety team... 

I have quite genuinely only just started online banking, as I was always concerned about security, I literally set up the extra email accounts so that each banking institution had a dedicated email address separate from my main one.
Here I am taking all precautions I can think of only to find 2fa has been off since June and the BT ID password was compromised which therefore could have affected all the email accounts. 

While it seems like all is well as far as I can tell so far, this is a pretty serious/negligent? lapse, what would you expect BT to do in this case? 
I find it incredibly awkward making complaints about such matters and potentially being asked what would resolve the complaint as I don't really know and until today's conversation I believed my main email account was actually accessed (we will see if it was locked or not potentially if they can tell me). 

Any thoughts welcome... 

HarveysPrimrose

I am in 100% agreement with your comments about negligence. 
Our family "MY BT" account was compromised a month ago. The scammer by-passed what, in hindsight, turns out to be very weak security questions with answers easily available via the electoral role or already on the dark web. Basic questions like DOB or Account Number or Home Address. BT are telling me I did not have 2FA turned on, which I dispute with them. I subsequently have been trying to get BT's 2FA to work. On BT's own user forum BT discuss a new 2FA installed Feb 2024 which balances user experience with security. Basically they claim to have special criteria (trusted device etc) which prevents 2FA from prompting. So I experimented and logged on to the MY BT account via different computers, mobiles, iPad's, different locations, different browsers, different WifI, 5G and 4G only. Each time I was NEVER prompted for 2FA. I also have access and manage my mothers BT Account. I was able to replicate what the scammer did (via online chat) and change the mobile phone and ID - all without being prompted for 2FA. If you change the account password, 2FA still does not prompt you. It's incredible.  

I'm awaiting BT's response to all this. I believe their security position is very poor and has not kept up with the sophisticated technology used by scammers and hackers. BT declined to accept my view - no surprises there.

After our MY BT account was compromised (mobile and ID changed by the scammer) I then had £1800 spent on our credit card at John Lewis and I'm now having to pay Experian £11 per month to monitor my identity.  

I don't feel awkward asking questions. I've worked in Cyber Security for many many years and spoken to many colleagues who, whilst not being overly surprised, are equally horrified. When BT do conclude and provide their position, I will be taking it to the Ombudsman and ICO.

BT have 25 million consumer customers - it needs a platform like MSE and Martin to shout it out there, even if it helps all users make their accounts more secure by changing security questions and passwords. 

Also interestingly, BT have hidden behind GDPR when I asked multiple questions about the conversation the scammer had with their representative. It was clearly my personal information was discussed, yet GDPR give protection to the scammer/hacker and not the person who had his/her identity stolen.  

caper7

Thanks for answering. 
I have been given such conflicting information by different people at BT, I'm not even sure an actual complaint has been logged at this point. 
I have had other things to deal with, so haven't pursued things for the last couple of weeks. 
I will have to get back to dealing with this and perhaps put a complaint in writing. 
I don't hold out much hope given your experience. 
I hope you have some luck with the ombudsman. 

fwor

HarveysPrimrose said:

Also interestingly, BT have hidden behind GDPR when I asked multiple questions about the conversation the scammer had with their representative. It was clearly my personal information was discussed, yet GDPR give protection to the scammer/hacker and not the person who had his/her identity stolen.  

You have to bear in mind that this may not (from BT's point of view) be quite as simple as it appears. Hackers have a very long-held reputation for using "social engineering" to leverage a limited amount of information that they have about a compromised account to get more information - and one of those techniques is to phone up and pretend to be the outraged owner of the account.

So although BT may appear to be "hiding behind" GDPR, it may be that their security procedures tell them to use this as a more palatable way than saying to the customer "we cannot be completely certain that you are who you say you are".