Why hasn't EE enabled 2FA on MyEE accounts?

Funk · ‎25-09-2023

I see several years-old posts asking about 2FA - why hasn't this been implemented yet? A simple username/password combo is NOT good enough.

Come on EE - this is 'security 101' stuff.

James_B · ‎25-09-2023

Hi @Funk,

We have strict security measures in place to protect your account. You can view our privacy policy here: https://ee.co.uk/eeprivacycentre/ee-privacy-policy

James

JustinUK · ‎26-09-2023

James,

Whatever security measures EE / BT have put in place are obviously inadequate. I highlighted this issue several years ago now and nothing has been done to rectify this blatant hole in security.

Daily I get many phishing attempts from scammers pretending to be EE on the phone offering me upgrades and incentives. I report these to 7726 but not everyone is as tech savvy as me, some are going to fall for it.

MFA should be a option for all who are security conscious. It creates a barrier for any potential hacker who has discovered my username and password without my knowledge. It also locks the account from anyone pretending to be me on the phone / in the shop attempting a SIM swap.

When I look at my security, it all starts with my Mobile and ISP accounts as this is such a key part of any system, along with email, banking, utility providers etc. These all need locking and the fact I cannot lock my EE/BT mobile and broadband accounts in this day and age is most annoying.

Kind Regards

Justin

PS: here is a nice little video showing how we are at risk - https://www.youtube.com/watch?v=lc7scxvKQOo&t=33s

PPS By the way what I am asking for is full MFA (Hard Token e.g. YubiKeys, Google Authenticator etc) not SMS text based where codes are sent to the mobile. This is easily hacked if they have access to your phone.

Funk · ‎01-10-2023

@James_B You're wrong - and the link you've posted doesn't even actually cover anything regarding site login security/protection. It's frankly not good enough. Perhaps you could ask some other folks with some actual security knowledge to take a look, hmm?

I work in IT and sell security solutions; the implementation of robust 2FA for ANY site/login is an absolute must. And for goodness' sake if EE ever decides to implement even basic site security please DO NOT make it SMS-based - it MUST be using a separate authenticator app (ideally one that us as users can choose) or a physical key (such as YubiKey etc).

Any site login should be protected with 2FA - please sort it out.

Edit: I see that @JustinUK understands the issue too, at least there's someone else in the room who realises the importance of this.

Funk · ‎03-10-2023

@James_B - James, please can you confirm that this has been escalated to a team with the knowledge and ability to take action on this?

Not having 2FA isn't acceptable when it comes to the security of login credentials. Even my SMARTY account has basic 2FA.

JustinUK · ‎03-10-2023

@Funk I would not hold your breath, I raised this issue with them back in March 2021 and they still have done nothing to implement this.

It is a disgrace.

https://community.ee.co.uk/t5/Security/2FA-Google-Authenticator-for-EE-log-in/m-p/1039989#M5634

Funk · ‎04-10-2023

I've made it an official complaint. I have very little confidence it'll make any difference but at least it's on record.

It shouldn't have to fall to customers to be requesting their mobile provider enables a fairly basic level of site security. IF my login credentials were somehow compromised, a threat actor would have access to my account which would allow them to get a copy of my bill which includes:

Name
Home address
EE account number
My mobile number

They would also have half of my bank account number and full sort code, the date of my DD and - somewhat incredibly - my date of birth (why is this even required to be visible on my EE account?).

That all of this is NOT adequately protected with 2FA is unconscionable. @James_B - it's all well and good saying "..we have strict security measures..." but you actually DON'T. If someone gains access to my account, they already have all of the above personally-identifiable information. I use a unique and lengthy password which is basic common sense, however many people don't; using the same email address and password across multiple sites is sadly still all-too-common amongst those who are not tech-savvy.

Why is this not being taken seriously? Can someone from EE please step up, admit it's not good enough and do something to sort it?

Funk · ‎09-10-2023

The silence is deafening.... 🙄

Funk · ‎12-10-2023

It'll be interesting to see what the outcome of the official complaint is. I've not heard anything yet - and to be honest I'm not holding my breath either.

Come on EE, be better.

Funk · ‎22-10-2023

It's been a couple of weeks now. Seems EE couldn't give a f*ck. Security concerns aren't going away.

Can ANYONE representing EE respond...?