A brand new service from Pakistan Telecommunications Limited (PTCL), the only fixed line operator in Pakistan, allows you to view a PTCL subscriber’s telephone bill! In most cases all you need to know is the phone number so this means that you can view almost anyone’s telephone bill online!
First go to PTCL’s billing area and enter the complete telephone number.
Then in the account ID field you enter your account ID from your PTCL bill. If you don’t know the account ID try this PTCL account ID generator:
Once you’ve entered the phone number and account ID click on the search button and your bill will (hopefully) be displayed. Below you can see an example of a bill for an NIB bank office! But in theory you can view anyone’s bill.
To say the least this service by PTCL is a serious violation of privacy. Although PTCL does not display the actual phone numbers called, it does display things like the National Tax Number and the address.
The Karachi Electricity Shortage Supply Company (KESC) also has a similar online bill viewing service. But they require you to enter your account number to view your bill. This is safer than PTCL’s service but far from ideal. They should password protect the bill viewing section and only allow subscribers who sign up for this facility to view their own bill.
Pakistan is the country with the world’s largest biometric (fingerprint) database of its citizens managed by a government agency called NADRA. Some 90 million individual’s data is stored in NADRA’s database. So one should not expect privacy in such a country. NADRA has a service whereby you can SMS an individual’s Computerized National Identity Card (CNIC) number to 7000 and get a reply containing their full name!
While all of these little bits of data might sound harmless, you can piece together a pretty good profile of an individual from them. You can infer things about the subscriber’s financial position by looking at his phone or electricity bill. How rich is he? Does he pay his bills regularly or does he have cash flow problems? Does he make a lot of calls overseas or not? Or simply whether the person is currently at home or on vacation!
Obviously web services should not be implemented like this. You don’t just expose your subscriber’s information online like this.