Bruce Schneier blogged on the fact that you can now unlock an O2 mobile phone by visiting the website and entering a valid phone number.
I agree with Bruce that this is an issue since the website does not ask for authentication. However, it is also making the assumption that if you have stolen a mobile phone you know the phone number of the phone in order to get the PUK.
I would suspect (and I may be wrong on this) that if you have stolen a phone, entered the PIN incorrectly 3 times and therefore locked the phone, the chances are you don’t know the number of the phone anyway. Under these circumstances you would therefore not be able to unlock the phone via the website.
Of course, this doesn’t account for those people who write their mobile number on the back of the phone so they don’t forget it!! You just can’t educate some people 🙂