This afternoon a co-worker was getting several text messages on his mobile phone, that profoundly puzzled him. The text messages were from KPN and said, that unfortunately his subscription could not be extended. The fact this message was sent without any incentive from him was surprising.
There was however something that puzzled him even more: his cellphone subscription runs through Vodafone.
After receiving 5 of these messages another co-worker was unable to contain his snickering and explained that he was responsible for the messages. He pointed out that if you go to the KPN website you can check whether you can extend your subscription. This is not in the customer portal where you might expect this, but on the homepage, which is accessible for everyone. By just entering a dutch cellphone subscriber number you automatically have the system SMS the person in question, regardless of what network the subscriber uses.
The fact that a large company such as KPN would be so shortsighted as to put a feature like that on the homepage simply left me dumbstruck.
First of all, there is a customer portal where people already maintain all their running subscriptions and services, which would have been a better place for such a check. Putting something like this on the homepage makes absolutely no sense to me.
But if for some silly reason you want to have this on your portal at least make sure that it is a sound system. The implementation of this check seems to lack any form of security whatsoever; the check blind fires on any subscriber number, regardless of whether it is a KPN-subscriber or not and seemingly puts no restrictions (or too lax) on doing this check multiple times, making it very vulnerable to abuse.
This system provided by KPN is just begging to be abused for some good old-fashioned digital mischief. So all you pranksters can have a field day. Just remember so send KPN an thank you note.