How safe is Egg on-line?

LesU

I'm starting to open new accounts in order to spread my savings around a lot more than previously. I had an old account on-line with Egg from back in 2002, which I thought I had closed, but kept receiving Egg card updates in e-mails, right up to 2007. I then asked them to close the account again, which they did, but they refused to close down my web access. I protested, but was told it was due to a requirement from the Data Protection Act. This is obviously rubbish, but I had no choice.
Today I saw that Egg was offering a decent savings account, so I thought I would try and get into Egg using my web access and open a new savings account. It was still working and I created a new account in less than 5 minutes. This is all very well, but it is the on-line security that concerns me.

If I had changed my ISP in those previous 5 years, I would not have been aware that my account and web access was still active, anyone could have hacked in and opened accounts in my name.

One reason I am worried about this is because the entry screen requirements are laughably lax. There is name and address details and mother's maiden name, all pretty easy to find. The password doesn't have to be a combination of letters and numbers and is typed in. There is no protection using drop down boxes to stop keyboard sniffers catching what you are typing.

Maybe we need a new criteria for assessing the banks and B.S's, which is the standard of access security. It's no good having a secure bank financially if your money has been removed fraudulently.

saveallmymoney

I like having the choice, egg is enough security to me. Some of my accounts i have to have the information written down because its impossible to remember, this negates all the security.

bjorn_again

LesU wrote: »

I'm starting to open new accounts in order to spread my savings around a lot more than previously. I had an old account on-line with Egg from back in 2002, which I thought I had closed, but kept receiving Egg card updates in e-mails, right up to 2007. I then asked them to close the account again, which they did, but they refused to close down my web access. I protested, but was told it was due to a requirement from the Data Protection Act. This is obviously rubbish, but I had no choice.
Today I saw that Egg was offering a decent savings account, so I thought I would try and get into Egg using my web access and open a new savings account. It was still working and I created a new account in less than 5 minutes. This is all very well, but it is the on-line security that concerns me.

If I had changed my ISP in those previous 5 years, I would not have been aware that my account and web access was still active, anyone could have hacked in and opened accounts in my name.

One reason I am worried about this is because the entry screen requirements are laughably lax. There is name and address details and mother's maiden name, all pretty easy to find. The password doesn't have to be a combination of letters and numbers and is typed in. There is no protection using drop down boxes to stop keyboard sniffers catching what you are typing.

Maybe we need a new criteria for assessing the banks and B.S's, which is the standard of access security. It's no good having a secure bank financially if your money has been removed fraudulently.

Somebody said yesterday that Nigeria was very safe.

dag_2

I take your concern about how lax the security details are, although, assuming someone doesn't get your password, I don't see how changing your ISP makes it any more vulnerable.

And just because there's a text field for entering the password, doesn't mean that typing it in is the only way of entering it. If you were really worried about keyboard sniffers, you could enter the password by copying and pasting each individual character in turn from somewhere else. Then again, I suppose that puts you at risk of clipboard sniffers ...! Then again, you could enter the characters in the password in a different order to how they actually appear in the password, and use the mouse to move to the right place in the password between each character.

My Egg login details are one of the few sets of details that I can actually remember, and which I don't have to write down. That said, I'm considering using KeePass or something similar, in order to allow me to strengthen all my passwords.

LesU

saveallmymoney wrote: »

I like having the choice, egg is enough security to me. Some of my accounts i have to have the information written down because its impossible to remember, this negates all the security.

I wasn't suggesting that more information was needed, just a more secure way of inputting it.
Exactly the same info could be put in using a drop down box, choosing random letters.
Equally you could choose a question, which might still be mother's maiden name, but it could be phrased as 'the answer to your chosen question'. Much more difficult to discover the answer that way.

LesU

dag wrote: »

I take your concern about how lax the security details are, although, assuming someone doesn't get your password, I don't see how changing your ISP makes it any more vulnerable.

Any changes on the Egg system regarding who I am and my logon password are automatically sent out as an advisory email to my last known email address. Which of course I wouldn't have received if I had changed to a new ISP.

noh

LesU wrote: »

Any changes on the Egg system regarding who I am and my logon password are automatically sent out as an advisory email to my last known email address. Which of course I wouldn't have received if I had changed to a new ISP.

Not strictly true.
To avoid complication i always keep the same email address independent of ISP.
Even if you do change email address it's your responsibility to update your contact details, this applies to all online accounts, not just egg.

Nigel

dag_2

Any changes on the Egg system regarding who I am and my logon password are automatically sent out as an advisory email to my last known email address. Which of course I wouldn't have received if I had changed to a new ISP.

Ah I see. Yeah, that could be a problem. Also, if you change your ISP and your old ISP removes your old email address, sometimes it's possible for new customers of your old ISP to take your old email address - meaning that not only will you not have received the notification, but there's a possibility that someone else will. Also - said "new customer" of old ISP might actually have only signed up for a no-fee 0845-number registration with completely bogus name and address details.

Presumably they don't send out that actual password, though? But I realise that's not the point of them emailing you. The point is that you are notified if someone else gets into your account and changes the password in an attempt to lock you out of it.

I can see that if you can't get them to disable the login that enables you to create new accounts in your name, it could certainly be a problem.

But if you can't get them to disable it, then perhaps the next best thing is to change the name and address on the login to a completely bogus name and address, so that your real name and address is no longer on the account.

On second thoughts: Although they seem to let you change the address fairly easily, it's a bit harder to change your name. And changing your date of birth seems to be very difficult indeed!

Surely this can't be the first time anyone has ever tried to shut down an internet banking login? How do you go about doing it?

web_ferret

As long as you have updated your computer and have a DECENT antivirus you will be fine. I do all my banking online with several providers.
Its now in the small print of a lot of web banks that if you don't have an up to date operating system and a decent security software then if anything happens you are not covered.

A^S

LesU wrote: »

I wasn't suggesting that more information was needed, just a more secure way of inputting it.
Exactly the same info could be put in using a drop down box, choosing random letters.
Equally you could choose a question, which might still be mother's maiden name, but it could be phrased as 'the answer to your chosen question'. Much more difficult to discover the answer that way.

Egg did have drop down boxes for date of birth at one point. Don't know why they changed back. Drop down boxes for every part of the password would drive me mad.

You do not have to actually use your mother's real maiden name to answer that question though do you ? so long as you remember what you have chosen it can be anything.

It is a difficult line to draw. As other's have said, the complex logon ids for some other sites can't be remembered and I have them written down - which seems less secure.

LesU

Interestingly, Cahoot, who I also bank with, went the other way. At the start they used a typed in word and then switched to using 2 random letters from the word, using drop down boxes.
Over the years I have banked with many online savings providers IF, B.Midshires, B&B to name a few. Egg has been the only provider that insisted that I keep open access even though I was no longer a customer. As I now have an account again, perhaps that is what that approach is supposed to encourage. Once a customer always a (potential) customer.