Skip to main content
Forum FAQ's
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why hasn't EE enabled 2FA on MyEE accounts?

Funk
Established Contributor
Established Contributor

‎25-09-2023 12:28 AM

I see several years-old posts asking about 2FA - why hasn't this been implemented yet?  A simple username/password combo is NOT good enough.

Come on EE - this is 'security 101' stuff.

24 REPLIES 24
Funk
Established Contributor
Established Contributor
In response to Funk

‎12-11-2023 12:43 PM - edited ‎12-11-2023 12:44 PM

Thanks EE.

Another month down the line; good to know you don't give a f**k.

0 Helpful
Funk
Established Contributor
Established Contributor
In response to Funk

‎26-01-2024 08:54 AM

Am still waiting for a response on this one, EE...

0 Helpful
Funk
Established Contributor
Established Contributor
In response to Funk

‎27-01-2024 05:18 PM

Here's what happens when you don't have 2FA enabled and rely solely on passwords:

https://www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/

 

0 Helpful
Scottatsea
Investigator
Investigator

‎02-02-2024 06:19 PM

Still can't believe this has not been implemented nor any comms regarding this.

 

0 Helpful
Funk
Established Contributor
Established Contributor

‎08-02-2024 08:06 PM - edited ‎08-02-2024 08:07 PM

It's appalling. I hope it doesn't take a security breach for them to finally wake up and protect our data properly.

EE - this is p*ss-poor.  F*cking sort it the **bleep** out.

0 Helpful
Leanne_T
EE Community Support Team

‎09-02-2024 08:48 AM

Hi @Funk 

We have strict security measures in place to protect your account.

For full information please see our privacy policy here: https://ee.co.uk/eeprivacycentre/ee-privacy-policy

Leanne.

0 Helpful
Scottatsea
Investigator
Investigator
In response to Leanne_T

‎09-02-2024 10:08 AM

Hi @Leanne_T many thanks for the reply.

I have seen a similar response a few times and to clarify it DOES NOT address the questions here. It does open more questions....you talk about encryption, is that at rest and / or in transit? What level is that encryption may I ask. The remainder looks like it's standard privacy / GDPR stuff. Can you confirm if 2FA / MFA is on the EE roadmap? If it is, then great, if not, read on please.

However none of the above addresses the issue in hand here. The processes you suggest are NOT enough. Your organisation really needs to look at modern attack methods and defend against them appropriately as other credible organisations - and many significantly smaller than EE currently do. 2FA or MFA really should be enabled quickly. If it is not, despite what is claimed in your response, you will be unconsciously exposing your organisation and your customers to unacceptable risk. 

With respect, I find it something of a matter of wonder that this privacy policy (note the name, you should really be pointing us to a security policy) is repeatedly regurgitated in response, yet does not come close to the security that you imply. PLEASE ensure that those that make decisions are aware of this. If they really do not understand what the point is here, there is plenty of information available out there - and similarly, I would be happy to point your security team in the right direction if they were so inclined to have a conversation re this pressing issue.


Please do all you can to quickly escalate and ultimately resolve this. This is real and companies globally are hurriedly implementing this fundamental security feature. EE is a good network in my experience, this is a major achilles heel however that will be exploited competitively and probably (but hopefully not - although hope is not a robust defence) by those with malicious intent. I appreciate these forum conversations can descend into verbal turmoil quickly, I just hope you see this for what it is - a genuine cry for help and a friendly yet firm offer of globally accepted advice.

JustinUK
Established Contributor
Established Contributor
In response to Leanne_T

‎09-02-2024 10:50 AM

@Leanne_T 

I initially raised this issue way back in March 2021, to date no Multi Factor Authentication options exist to log into your EE account creating a huge security flaw. 

Peoples broadband and mobile phone is a goldmine for any bad actors out there, you keep regurgitating the same old Privacy Policy which is NOT related in any way to this security flaw.

I ask that you please take some steps to secure our online accounts, if requested by the customer to do so. Leaving accounts open to attack like this is just not acceptable in this day and age.

Original Post on this issue:
https://community.ee.co.uk/t5/Security/2FA-Google-Authenticator-for-EE-log-in/m-p/1039989#M5634

Funk
Established Contributor
Established Contributor
In response to Leanne_T

‎10-02-2024 04:58 PM - edited ‎10-02-2024 05:00 PM

https://community.ee.co.uk/t5/Security/Why-hasn-t-EE-enabled-2FA-on-MyEE-accounts/m-p/1356508/highli...

You EE folks keep posting this but all it does is demonstrate that unfortunately you have no idea what you're talking about.

EE accounts are fundamentally insecure when protected by only an email address and password.

 

THIS IS NOT ACCEPTABLE.

Funk
Established Contributor
Established Contributor

‎20-02-2024 12:50 PM - edited ‎20-02-2024 01:03 PM

@Leanne_T @James_B 

Just to help make this all a little more real for you.  THIS is why we need more security on our EE accounts (and NOT using SMS but a proper, separate 2FA app or key!):

https://www.theguardian.com/money/2024/feb/19/sim-swap-how-your-bank-account-can-be-emptied-by-phone

"Within a week, the fraudsters were able to bypass O2’s security checks. Once in control, they ordered an e-sim (a virtual, rather than physical, version of a sim card), which O2 sent as a QR code. Once activated, they had, in effect, taken over her number.  

“I lost all O2 services around lunchtime, but thought that a mast was faulty in the area,” says Nevin. “I now know that the fraudsters – in effect using my phone – called my bank and were able to answer security questions, such as what town I was born in, which is on my passport, or my address, which is on my driving licence.

“They then got Barclays to send a one-time passcode to the phone. With that, the bank allowed them to transfer £2,400 from my savings into my current account, then make a payment of £3,500 to a Halifax bank account. This cleaned me out and took me to my overdraft limit.”"

This shows how easily fraudsters can piece together bits of information (many of which are publicly-available such as 'address') or may have been compromised in a previous hack/attack (such as town of birth/date of birth) to compromise phone and bank accounts. The rewards for a successful hack can be highly lucrative for fraudsters.

Now - will SOMEONE with half a brain at EE PLEASE make our account (and personal data security) a priority?  Will it take a data breach or hack for you to do something about it?

O2 - offers 2FA for customer accounts

Vodafone - offers 2FA for customer accounts

Three - offers 2FA for customer accounts

GiffGaff - offers 2FA for customer accounts

Tesco Mobile - offers 2FA for customer accounts

Smarty - offers 2FA for customer accounts

............EE - thinks a 'privacy policy' page on their website = security and has no idea what 2FA is.

Related Content