topic Re: Why hasn't EE enabled 2FA on MyEE accounts? in Security

Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sun, 24 Sep 2023 23:28:37 GMT

I see several years-old posts asking about 2FA - why hasn't this been implemented yet? A simple username/password combo is NOT good enough.

Come on EE - this is 'security 101' stuff.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

James_B — Tue, 03 Oct 2023 12:45:42 GMT

Hi @Funk,

We have strict security measures in place to protect your account. You can view our privacy policy here: https://ee.co.uk/eeprivacycentre/ee-privacy-policy

James

Re: Why hasn't EE enabled 2FA on MyEE accounts?

JustinUK — Tue, 26 Sep 2023 13:26:52 GMT

James,

Whatever security measures EE / BT have put in place are obviously inadequate. I highlighted this issue several years ago now and nothing has been done to rectify this blatant hole in security.

Daily I get many phishing attempts from scammers pretending to be EE on the phone offering me upgrades and incentives. I report these to 7726 but not everyone is as tech savvy as me, some are going to fall for it.

MFA should be a option for all who are security conscious. It creates a barrier for any potential hacker who has discovered my username and password without my knowledge. It also locks the account from anyone pretending to be me on the phone / in the shop attempting a SIM swap.

When I look at my security, it all starts with my Mobile and ISP accounts as this is such a key part of any system, along with email, banking, utility providers etc. These all need locking and the fact I cannot lock my EE/BT mobile and broadband accounts in this day and age is most annoying.

Kind Regards

Justin

PS: here is a nice little video showing how we are at risk - https://www.youtube.com/watch?v=lc7scxvKQOo&t=33s

PPS By the way what I am asking for is full MFA (Hard Token e.g. YubiKeys, Google Authenticator etc) not SMS text based where codes are sent to the mobile. This is easily hacked if they have access to your phone.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sun, 01 Oct 2023 01:36:06 GMT

@James_B You're wrong - and the link you've posted doesn't even actually cover anything regarding site login security/protection. It's frankly not good enough. Perhaps you could ask some other folks with some actual security knowledge to take a look, hmm?

I work in IT and sell security solutions; the implementation of robust 2FA for ANY site/login is an absolute must. And for goodness' sake if EE ever decides to implement even basic site security please DO NOT make it SMS-based - it MUST be using a separate authenticator app (ideally one that us as users can choose) or a physical key (such as YubiKey etc).

Any site login should be protected with 2FA - please sort it out.

Edit: I see that @JustinUK understands the issue too, at least there's someone else in the room who realises the importance of this.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Tue, 03 Oct 2023 10:47:54 GMT

@James_B - James, please can you confirm that this has been escalated to a team with the knowledge and ability to take action on this?

Not having 2FA isn't acceptable when it comes to the security of login credentials. Even my SMARTY account has basic 2FA.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

JustinUK — Tue, 03 Oct 2023 10:59:14 GMT

@Funk I would not hold your breath, I raised this issue with them back in March 2021 and they still have done nothing to implement this.

It is a disgrace.

https://community.ee.co.uk/t5/Security/2FA-Google-Authenticator-for-EE-log-in/m-p/1039989#M5634

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Wed, 04 Oct 2023 16:37:33 GMT

I've made it an official complaint. I have very little confidence it'll make any difference but at least it's on record.

It shouldn't have to fall to customers to be requesting their mobile provider enables a fairly basic level of site security. IF my login credentials were somehow compromised, a threat actor would have access to my account which would allow them to get a copy of my bill which includes:

Name
Home address
EE account number
My mobile number

They would also have half of my bank account number and full sort code, the date of my DD and - somewhat incredibly - my date of birth (why is this even required to be visible on my EE account?).

That all of this is NOT adequately protected with 2FA is unconscionable. @James_B - it's all well and good saying "..we have strict security measures..." but you actually DON'T. If someone gains access to my account, they already have all of the above personally-identifiable information. I use a unique and lengthy password which is basic common sense, however many people don't; using the same email address and password across multiple sites is sadly still all-too-common amongst those who are not tech-savvy.

Why is this not being taken seriously? Can someone from EE please step up, admit it's not good enough and do something to sort it?

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Mon, 09 Oct 2023 16:00:21 GMT

The silence is deafening.... 🙄

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Thu, 12 Oct 2023 11:22:34 GMT

It'll be interesting to see what the outcome of the official complaint is. I've not heard anything yet - and to be honest I'm not holding my breath either.

Come on EE, be better.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sun, 22 Oct 2023 12:28:46 GMT

It's been a couple of weeks now. Seems EE couldn't give a f*ck. Security concerns aren't going away.

Can ANYONE representing EE respond...?

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sun, 12 Nov 2023 12:44:42 GMT

Thanks EE.

Another month down the line; good to know you don't give a f**k.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Fri, 26 Jan 2024 08:54:50 GMT

Am still waiting for a response on this one, EE...

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sat, 27 Jan 2024 17:18:06 GMT

Here's what happens when you don't have 2FA enabled and rely solely on passwords:

https://www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Scottatsea — Fri, 02 Feb 2024 18:19:29 GMT

Still can't believe this has not been implemented nor any comms regarding this.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Thu, 08 Feb 2024 20:07:49 GMT

It's appalling. I hope it doesn't take a security breach for them to finally wake up and protect our data properly.

EE - this is p*ss-poor. F*cking sort it the **bleep** out.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Leanne_T — Fri, 09 Feb 2024 08:48:48 GMT

Hi @Funk

We have strict security measures in place to protect your account.

For full information please see our privacy policy here: https://ee.co.uk/eeprivacycentre/ee-privacy-policy

Leanne.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Scottatsea — Fri, 09 Feb 2024 10:08:00 GMT

Hi @Leanne_T many thanks for the reply.

I have seen a similar response a few times and to clarify it DOES NOT address the questions here. It does open more questions....you talk about encryption, is that at rest and / or in transit? What level is that encryption may I ask. The remainder looks like it's standard privacy / GDPR stuff. Can you confirm if 2FA / MFA is on the EE roadmap? If it is, then great, if not, read on please.

However none of the above addresses the issue in hand here. The processes you suggest are NOT enough. Your organisation really needs to look at modern attack methods and defend against them appropriately as other credible organisations - and many significantly smaller than EE currently do. 2FA or MFA really should be enabled quickly. If it is not, despite what is claimed in your response, you will be unconsciously exposing your organisation and your customers to unacceptable risk.

With respect, I find it something of a matter of wonder that this privacy policy (note the name, you should really be pointing us to a security policy) is repeatedly regurgitated in response, yet does not come close to the security that you imply. PLEASE ensure that those that make decisions are aware of this. If they really do not understand what the point is here, there is plenty of information available out there - and similarly, I would be happy to point your security team in the right direction if they were so inclined to have a conversation re this pressing issue.

Please do all you can to quickly escalate and ultimately resolve this. This is real and companies globally are hurriedly implementing this fundamental security feature. EE is a good network in my experience, this is a major achilles heel however that will be exploited competitively and probably (but hopefully not - although hope is not a robust defence) by those with malicious intent. I appreciate these forum conversations can descend into verbal turmoil quickly, I just hope you see this for what it is - a genuine cry for help and a friendly yet firm offer of globally accepted advice.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

JustinUK — Fri, 09 Feb 2024 10:50:54 GMT

@Leanne_T

I initially raised this issue way back in March 2021, to date no Multi Factor Authentication options exist to log into your EE account creating a huge security flaw.

Peoples broadband and mobile phone is a goldmine for any bad actors out there, you keep regurgitating the same old Privacy Policy which is NOT related in any way to this security flaw.

I ask that you please take some steps to secure our online accounts, if requested by the customer to do so. Leaving accounts open to attack like this is just not acceptable in this day and age.

Original Post on this issue:
https://community.ee.co.uk/t5/Security/2FA-Google-Authenticator-for-EE-log-in/m-p/1039989#M5634

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Sat, 10 Feb 2024 17:00:29 GMT

https://community.ee.co.uk/t5/Security/Why-hasn-t-EE-enabled-2FA-on-MyEE-accounts/m-p/1356508/highlight/true#M11118

You EE folks keep posting this but all it does is demonstrate that unfortunately you have no idea what you're talking about.

EE accounts are fundamentally insecure when protected by only an email address and password.

THIS IS NOT ACCEPTABLE.

Re: Why hasn't EE enabled 2FA on MyEE accounts?

Funk — Tue, 20 Feb 2024 13:03:46 GMT

@Leanne_T @James_B

Just to help make this all a little more real for you. THIS is why we need more security on our EE accounts (and NOT using SMS but a proper, separate 2FA app or key!):

https://www.theguardian.com/money/2024/feb/19/sim-swap-how-your-bank-account-can-be-emptied-by-phone

"Within a week, the fraudsters were able to bypass O2’s security checks. Once in control, they ordered an e-sim (a virtual, rather than physical, version of a sim card), which O2 sent as a QR code. Once activated, they had, in effect, taken over her number.

“I lost all O2 services around lunchtime, but thought that a mast was faulty in the area,” says Nevin. “I now know that the fraudsters – in effect using my phone – called my bank and were able to answer security questions, such as what town I was born in, which is on my passport, or my address, which is on my driving licence.

“They then got Barclays to send a one-time passcode to the phone. With that, the bank allowed them to transfer £2,400 from my savings into my current account, then make a payment of £3,500 to a Halifax bank account. This cleaned me out and took me to my overdraft limit.”"

This shows how easily fraudsters can piece together bits of information (many of which are publicly-available such as 'address') or may have been compromised in a previous hack/attack (such as town of birth/date of birth) to compromise phone and bank accounts. The rewards for a successful hack can be highly lucrative for fraudsters.

Now - will SOMEONE with half a brain at EE PLEASE make our account (and personal data security) a priority? Will it take a data breach or hack for you to do something about it?

O2 - offers 2FA for customer accounts

Vodafone - offers 2FA for customer accounts

Three - offers 2FA for customer accounts

GiffGaff - offers 2FA for customer accounts

Tesco Mobile - offers 2FA for customer accounts

Smarty - offers 2FA for customer accounts

............EE - thinks a 'privacy policy' page on their website = security and has no idea what 2FA is.