I noticed today that I could download my Spark Mobile bill using a link directly from the website, without logging into the customer zone. I tried again in another web browser I rarely use, to confirm it.

What I've noticed is there's no real security around customer information such as name, address, account number, and usage. If you can guess the URL you get access to the customer information. Sure, it's a difficult URL to guess, but brute force could work it out (unless they notice and cut you off).

https://www.spark.co.nz/viewer/GetBillImage?url=a1a1a1a1a1a-a1a1a-a1a1a-abcd-aaa05643543a32

I guess it's a trade off between making it easy for customers to get their bill and customer security - though logging in to customer zone isn't a huge deal for most people. Attaching the bill to the email would be a bit more secure, I guess, though email is more like a postcard and isn't really secure. Problem with the the bills is they put big images in the pdf which make the emails quite large to download (400kb).

Any thoughts from others? Because the URL is very difficult to guess it's not a real concern to me, so long as it's not in some kind of repeating pattern or formula that makes it too easy. I'd rather not have my information online with no authentication required to view it though.