Two-factor authentication using an EE mobile number is flawed

jamesmacwhite · ‎02-04-2025

Hi,

I think there's been similar posts around EE's two-factor authentication (or the lack of it) until more recently. I'd like to share a story of my own making, whereby using the EE mobile number on the account as a the sole two-factor method has flaws and a lockout scenario which I'm probably not the only one to do.

First of all, having some form of 2FA option is good and supporting passkeys is a great step forward so progress! The use of SMS generally is known as a weaker 2FA option however and having this as the only option currently can be dangerous. The scenario I want to highlight is what if your EE mobile number being used as said 2FA option is unavailable e.g. the handset is broken, or you did what I did and get your SIM locked out requiring a PUK code. There is a self-service option for obtaining a PUK code through your EE account for your SIM, but this is only available through the My EE on the website, not the mobile app. Because of locking out EE number, I could not use this option as trying to login would require a one-time PIN sent to the number.... Which has the SIM locked. I did have the My EE app logged in and available, but the PUK option is not available in the mobile app.

For context I migrated to an eSIM which all went fine, I then wanted to re-enable the PIN I had set on my physical SIM. In my head the default SIM PIN is 0000 or 1234, it turns out it is 1111, but I used the three guesses thinking one of the first two was correct and I just keyed in one of the first two incorrectly. Nope, I was wrong which is entirely my fault of course. The issue was further compounded by the fact, I did this late at night after EE support was available, so I had my SIM locked for a good 11-12 hours. Of course, EE phone support were more than happy to help and got me sorted, but this does show the importance of offering multi-factor options, ideally supporting authenticator apps or password managers e.g. Microsoft Authenticator, Google Authenticator, Authy, 1Password and maybe others, where you have a TOTP stored to generate one-time passcodes at any time, regardless of an internet connection or even mobile data connection.

Please consider implementing additional 2FA options for My EE logins. SMS security has limitations generally, but you can also potentially get account holders locked out by binding this to the primary EE account mobile number as well!

Christopher_G · ‎03-04-2025

Hi @jamesmacwhite

Welcome to the community.

Thank you for sharing your experience and suggestions. I'll pass them over to the relevant team for them to consider.

Chris

jamesmacwhite · ‎06-04-2025

Hi Chris,

I would like to reiterate the point quite firmly. Because not long after this post, I've just had a family member who is also on EE have their EE account hijacked and the unknown person who managed to gain access to their EE account successfully convince EE customer support to do a PAC request to port the number away from EE. As of 4th April, the number has now been bound to Lyca Mobile and now another EE representative is now having to deal with getting that number back from the other network this obviously takes time. In addition, because this number has fallen out of control of the account holder, their online banking account information was successfully reset because of the mobile number having all calls and SMS redirected to the attacker. The harsh reality is this request should not have happened in the first place given the prior warnings given. Granted, there were missed opportunities from the account holder to potentially prevent this too, but EE share some responsibility in my view.

The summary is there has been unusual activity on the account since early January, but early March the account holder flagged these issues and "notes" were added to the account to highlight this, but it hasn't been stopped. The main attack was done on 4th April just under a month after these warnings were given. EE is equally responsible for not doing enough to stop this. When the number is back under EE and assigned to the correct SIM again, I will be going through a Data Subject Access Request (DSAR) for the account details to see exactly what "notes" were made, but it isn't good enough frankly. While I cannot fault the support representatives dealing with the case currently, both the account holders bank and I (being in the industry of web and digital security) do have to highlight EE's failure here. We have a pretty good timeline of the events after going through various emails, SMS communications.

EE should know the dangers of SIM/PAC request attacks and relying on SMS for two-factor authentication is irresponsible. You also need to have more robust measures in place for high-risk scenarios like number porting, if there are, they clearly failed here. Ultimately this type of attack exploits human factors i.e. social engineering, which we are all vulnerable to and it can happen to anyone, EE is not alone, but given how many digital accounts basically use a mobile number as to bind to for one reason or other. Your responsibility of better security in this area is absolutely vital for both yourselves and your customers.

Chris_B · ‎06-04-2025

@jamesmacwhite Can I ask one question ? You say this

“ The summary is there has been unusual activity on the account since early January, but early March the account holder flagged these issues and "notes" were added to the account to highlight this, but it hasn't been stopped”

My question

After this was the account password changed to something stronger because if there is unusual activity on the account the scammer already has access to the account and nothing was don’t to block that access. Scammers also don’t hang around once they have access it’s get it done asap before you can do something about it.

Im not defending EE I’m asking was the account password changed to something stronger? You don’t say.

To contact EE Customer Services dial 150 From your EE mobile or 0800 956 6000 from any other phone.

jamesmacwhite · ‎06-04-2025

Hi Chris

Being transparent, I don't believe so. I don't know the exact conversation when they flagged it with EE (6th March) and if EE advised changing password etc so that is the missed opportunity highlighted in the above reply and that is on the account holder side, no doubt. I fully acknowledge this is one of the opportunities that it could have been prevented, it wasn't admittedly, but EE equally shouldn't have processed a PAC request either especially being notified in advance of unusual activity. As we know security is around layers, it is not a case of "if" but when and I feel given this prior knowledge this isn't great.

Without revealing too much information there is evidence of unauthorised access going back to the 30th January. While hackers/scammers indeed move on very quickly, we have evidence (and so will EE) of unauthorised access dating back to this period, the key dates are 30th January, 6th March and finally 3rd April (the PAC request is processed) and then 4th April control of the mobile number is lost and collateral damage of other accounts by leveraging the mobile number to reset accounts, by having control of the number and getting one-time passcodes to bypass existing passwords and just reset details.

Like I said, I have been through the timeline of events, seen various emails, SMS etc I can build the picture of what's happened it is a combination of EE account gets compromised, likely by either password being breached from another service i.e. credential stuffing. No phishing or social engineering has been done on the account holder. EE will have the timeline as well. I'll be providing the full details to them, as I still think there is some responsibility on their side to acknowledge here. Ultimately, I'm purely interested in preventing it happening to others I'm not after blaming specifically either, more reviewing what happened, what could have been done and learning from it. This story is one of many, but the last line of defence was EE itself and that was the final failure in the chain.